webauthn is a silly name, it stands for web authentication.

A company recently released a product on HN which seemed to be a thin wrapper around webauthn.

So I thought I'd show HN this demo (not mine) so people know what you don't need any software to authenticate users, simply using Windows Hello & TPM, Mac TouchID and Secure Enclave, or Android whatever and TEE.

When you register, the website makes a keypair, TPM/Enclave/TEE store the private key, the website remembers the public key.

When you log in, you use your biometric or USB device to access TPM/Enclave/TEE and sign a message for you. The website knows it's you because it has your public key. The private key never leaves your TPM/Enclave/TEE.

So yeah, this is part of the web now. You don't need to pay someone to use it.

How do you back it up offline?

You can’t. I imagine when you get a replacement or additional device you manually reconfirm your email and get issued another keypair, so all subsequent logins to that website just use your face or finger or whatever.

That's the thing that I find unconvincing about webauthn. There seems to be no other way than to associate several key devices for every website you are using if you are concerned about losing a key device (or get a new phone, new laptop w TPM).

Totally understood - you have to do it once per website per device but I get that's still a hassle. That said it doesn't have the UI quirks that (even good) password managers have.

Only registering new "serious business" accounts while near your second master key is easier than it sounds to us today.

Well that is DoA

On iOS would like to use bitwarden but no it is activate keychain (don’t want to complicate bitwarden so no), external device or QR only.

It asks me to enter a "security key" into my USB port, which I do not have. Is that the expected behaviour? Both Chrome and Firefox on Windows.

Does your laptop/PC have a built-in TPM module? Ie. do you log in with Windows Hello? If not you'll need a security key.

Desktop PC with a 12th gen Intel CPU, which has a TPM 2.0 module. I don't use Windows Hello though.

So are you saying I need to change how I log into Windows to be able to use this website / security method? I didn't really trust Windows Hello because of all the junk they bundle with Windows now. I just assumed it had some angle to it.

I'll have to do some more reading into how this works. So far this seems much more complex than a password though. If the browser is just generating a keypair and sharing the public key, you'd think that would be possible without any specialized hardware chips or USB keys.

You don’t need to use windows hello, you should be able to use TPM with a Fido2 key or similar.

Difference is the private key can never be read again. It can only be used to sign things.

can anyone explain how one would log in webauth if he has lost his device and signing from a different device? will it work or his account is lost forever ?

It isn’t described anywhere. Soo probably a password reset by email

It’s a solution that was long overdue, but they didn’t account for multiple devices and application.

It’s pretty shit tbh. Was looking forward to using it, but I’ll stick with random characters

You can't because the certs are on the device in a secure enclave. Unless you let Google/apple/Microsoft back them up to their cloud. Then you need to hope you don't lose access to that too when you're device was lost. Or you can just have multiple devices/security keys in case this happens.