Reputation: 95
Managing webauthn credentials across multiple devices
I am trying to integrate webauthn(public key) based authentication into our website.I am facing a problem when end users are switching devices.
How do we maintain at the backend the credentials registered per device, if we don't how to decide whether to show webauthn based auth or now for the current device?
These are the only solutions i could think of:
- Use localStorage, cookies e.t.c to store a device identifier but all of these can be cleared by end user
- If keys are registered on one device we show them web authn on every device and if keys can't be found we ask them to register on this device
Upvotes: 9
Views: 4579
Answers (1)
Reputation: 454
You're highlighting one of the key issues that WebAuthn currently has, especially for platform authenticators like Windows Hello, Touch ID, etc.
The solutions you suggest are basically all you can do, but be aware that both are far from perfect. Especially local storage can be a real rabbit hole.
You may want to take a look at FIDO Alliance's latest white paper around "multi-device FIDO credentials" where you'll learn what the industry is doing to improve the situation: https://fidoalliance.org/white-paper-multi-device-fido-credentials/
Upvotes: 6
Related Questions
- How to share authentication between mobile app and webview?
- Webauthn - adding a second MFA device
- webauthn: how can I link my phone to my computer browser
- Webauthn API and external devices?
- Smartphone as Authenticator in WebAuthn
- Sharing logins across different devices
- Share credentials between native app and web site
- Create same access token for multiple devices
- How to store non-standard web authentication?
- What is the best way to persist login data between multiple web services?