Has anyone worked out how to integrate the Webauthn API as a passwordless login mechanism for Meteor? This would allow users to login using Windows Hello, TouchID, a Yubikey, etc. The code to register and authenticate users is fairly straightforward, but I don’t know how to let Meteor know the user is now authenticated? Any thoughts on how this could be done?
There’s a nice WebAuthn demo here: https://webauthn.io/
We use a combination of this
And Meteor’s accounts api
@rjdavid , thanks for the response. However, I don’t see any Meteor Accounts method to login the user that doesn’t require a username/password combo, an emailed token, or an oAuth integration. How did you go from successfully authenticating a user using WebAuthn to logging that user into their Meteor account?
Ah! It looks like I need to use the undocumented Accounts.registerLoginHandler
Good point that Accounts.registerLoginHandler() is not in the documentation 
Hey! I’ll add that to our backlog, Thanks for letting us know
Any updates on this? Maybe someone already implemented it in custom meteor package?
Added an issue to the core: Accounts.registerLoginHandler is still undocumented · Issue #12189 · meteor/meteor · GitHub
Anyone move exclusively to using WebAuthn? Seems like this is the way to go for a new project.
I have WebAuthn working, but until passkeys that can be shared across platforms become more widely available/adopted, most implementations tie the authentication to a single device which requires alternate authentication options. (e.g. I replaced my laptop/phone and now I can’t login). Have a look at my issue trying to support multiple MFA authentication methods in my Meteor app.
The WebAuthn API also has an awkward user workflow when trying to register ‘platform’ vs ‘cross-platform’ authentication methods on the same PC. e.g. I have “Windows Hello” and a YubiKey and it seems to always want to default to “platform” (Windows Hello) first and only presenting the YubiKey as an option if I cancel the Windows Hello dialog. In other words, the API appears to force a requirement to first ask the question “Do you want to register a ‘platform’ authenticator or a ‘cross-platform’ authenticator?” which of course needs to be explained what the differences are. I can’t seem to find a way to show all of the detected authenticators (platform & cross-platform) so that the user can choose one.
Here are my learnings since implementing passkeys in our apps:
All our internal tools, like the admin panel and CRM, are now only accessible through passkeys. I am hoping that next year, we will be ready to remove passwords from our user-facing apps (as of now, we are just prompting our users to save a passkey when the device supports it)
Yes, once the authenticator is registered, the workflow for the user to verify their authentication request works great. I can present all the ‘platform’ and ‘cross-platform’ authenticators they’ve registered for them to choose one (or simply automatically try using the last authenticator they used, or initially try the authenticator they set as the default). It’s the initial registration of the authenticators that is awkward and requires an additional step and explanation. It’d be fine in a corporate or closed environment (of techies), but ends up being confusing for much of the general public to understand.
In a similar way that Bitcoin/cryptocurrency is still somewhat difficult to adopt & use by the general public, I feel like it’s important to make the UX of moving away from single-factor (password) authentication as easy to use as possible if we want general adoption by the public.
