Meteor Login using WebAuthn API

cormip · June 30, 2022, 4:22am

Has anyone worked out how to integrate the Webauthn API as a passwordless login mechanism for Meteor? This would allow users to login using Windows Hello, TouchID, a Yubikey, etc. The code to register and authenticate users is fairly straightforward, but I don’t know how to let Meteor know the user is now authenticated? Any thoughts on how this could be done?

There’s a nice WebAuthn demo here: https://webauthn.io/

rjdavid · June 30, 2022, 5:00am

We use a combination of this

And Meteor’s accounts api

cormip · June 30, 2022, 2:16pm

@rjdavid , thanks for the response. However, I don’t see any Meteor Accounts method to login the user that doesn’t require a username/password combo, an emailed token, or an oAuth integration. How did you go from successfully authenticating a user using WebAuthn to logging that user into their Meteor account?

cormip · June 30, 2022, 2:59pm

Ah! It looks like I need to use the undocumented Accounts.registerLoginHandler

rjdavid · June 30, 2022, 7:38pm

Good point that Accounts.registerLoginHandler() is not in the documentation

hschmaiske · July 4, 2022, 1:15pm

Hey! I’ll add that to our backlog, Thanks for letting us know

afrokick · September 19, 2022, 2:17pm

Any updates on this? Maybe someone already implemented it in custom meteor package?

jkuester · September 21, 2022, 9:36am

Added an issue to the core: Accounts.registerLoginHandler is still undocumented · Issue #12189 · meteor/meteor · GitHub

rjdavid · October 17, 2022, 3:59am

Usability is now improved with the implementation of passkeys in chrome

rjdavid · October 17, 2022, 4:16am

The desktop to mobile authentication is very powerful

jam · February 11, 2023, 4:00pm

Anyone move exclusively to using WebAuthn? Seems like this is the way to go for a new project.

cormip · February 11, 2023, 4:57pm

I have WebAuthn working, but until passkeys that can be shared across platforms become more widely available/adopted, most implementations tie the authentication to a single device which requires alternate authentication options. (e.g. I replaced my laptop/phone and now I can’t login). Have a look at my issue trying to support multiple MFA authentication methods in my Meteor app.

The WebAuthn API also has an awkward user workflow when trying to register ‘platform’ vs ‘cross-platform’ authentication methods on the same PC. e.g. I have “Windows Hello” and a YubiKey and it seems to always want to default to “platform” (Windows Hello) first and only presenting the YubiKey as an option if I cancel the Windows Hello dialog. In other words, the API appears to force a requirement to first ask the question “Do you want to register a ‘platform’ authenticator or a ‘cross-platform’ authenticator?” which of course needs to be explained what the differences are. I can’t seem to find a way to show all of the detected authenticators (platform & cross-platform) so that the user can choose one.

rjdavid · February 11, 2023, 5:26pm

Here are my learnings since implementing passkeys in our apps:

Users who use hardware keys (e.g. Yubikey) are used to use “Try another option” when presented with 2fa authentication
When saving the user’s credentials, save the credential “device type” used by the user. After the first successful login of the user, you can save a user’s reference in the browser and use that reference the next time he tries to login again. Then use the saved credential device type when prompting for authentication so the correct authentication type will be displayed to the user

rjdavid · February 11, 2023, 5:44pm

All our internal tools, like the admin panel and CRM, are now only accessible through passkeys. I am hoping that next year, we will be ready to remove passwords from our user-facing apps (as of now, we are just prompting our users to save a passkey when the device supports it)

cormip · February 11, 2023, 6:22pm

Yes, once the authenticator is registered, the workflow for the user to verify their authentication request works great. I can present all the ‘platform’ and ‘cross-platform’ authenticators they’ve registered for them to choose one (or simply automatically try using the last authenticator they used, or initially try the authenticator they set as the default). It’s the initial registration of the authenticators that is awkward and requires an additional step and explanation. It’d be fine in a corporate or closed environment (of techies), but ends up being confusing for much of the general public to understand.

In a similar way that Bitcoin/cryptocurrency is still somewhat difficult to adopt & use by the general public, I feel like it’s important to make the UX of moving away from single-factor (password) authentication as easy to use as possible if we want general adoption by the public.

ruohki · January 15, 2024, 10:34am

is anyone able to share some boilerplate code?

rjdavid · January 15, 2024, 12:03pm

Check this: https://simplewebauthn.dev/

Which also requires knowledge how to do custom login with meteor: Accounts (multi-server) | Meteor API Docs

ruohki · January 15, 2024, 12:30pm

Yes, i saw those links. I’ve implemented a couple oauth providers but doing it with the basepackage is new to me, this is why I asked for as snippet.

Edit the simplewebauthn lib also requires node 16+

storyteller · January 16, 2024, 5:01pm

I have it on my bucket list to do as an official Meteor package, or at least lobby for one.
@nachocodoner @grubba

ruohki · February 6, 2024, 7:24pm

I’m working on an example i wanted to turn into a metero guide. Got all the bits in place, just need to apply some styling and polish things.

I decided against a package as webauthn itself is not a standalone, or well very sufficent signup expirience, authentication solution, more like an add-on login helper.