Has anyone worked out how to integrate the Webauthn API as a passwordless login mechanism for Meteor? This would allow users to login using Windows Hello, TouchID, a Yubikey, etc. The code to register and authenticate users is fairly straightforward, but I don’t know how to let Meteor know the user is now authenticated? Any thoughts on how this could be done?
@rjdavid , thanks for the response. However, I don’t see any Meteor Accounts method to login the user that doesn’t require a username/password combo, an emailed token, or an oAuth integration. How did you go from successfully authenticating a user using WebAuthn to logging that user into their Meteor account?
I have WebAuthn working, but until passkeys that can be shared across platforms become more widely available/adopted, most implementations tie the authentication to a single device which requires alternate authentication options. (e.g. I replaced my laptop/phone and now I can’t login). Have a look at my issue trying to support multiple MFA authentication methods in my Meteor app.
The WebAuthn API also has an awkward user workflow when trying to register ‘platform’ vs ‘cross-platform’ authentication methods on the same PC. e.g. I have “Windows Hello” and a YubiKey and it seems to always want to default to “platform” (Windows Hello) first and only presenting the YubiKey as an option if I cancel the Windows Hello dialog. In other words, the API appears to force a requirement to first ask the question “Do you want to register a ‘platform’ authenticator or a ‘cross-platform’ authenticator?” which of course needs to be explained what the differences are. I can’t seem to find a way to show all of the detected authenticators (platform & cross-platform) so that the user can choose one.
Here are my learnings since implementing passkeys in our apps:
Users who use hardware keys (e.g. Yubikey) are used to use “Try another option” when presented with 2fa authentication
When saving the user’s credentials, save the credential “device type” used by the user. After the first successful login of the user, you can save a user’s reference in the browser and use that reference the next time he tries to login again. Then use the saved credential device type when prompting for authentication so the correct authentication type will be displayed to the user
All our internal tools, like the admin panel and CRM, are now only accessible through passkeys. I am hoping that next year, we will be ready to remove passwords from our user-facing apps (as of now, we are just prompting our users to save a passkey when the device supports it)
Yes, once the authenticator is registered, the workflow for the user to verify their authentication request works great. I can present all the ‘platform’ and ‘cross-platform’ authenticators they’ve registered for them to choose one (or simply automatically try using the last authenticator they used, or initially try the authenticator they set as the default). It’s the initial registration of the authenticators that is awkward and requires an additional step and explanation. It’d be fine in a corporate or closed environment (of techies), but ends up being confusing for much of the general public to understand.
In a similar way that Bitcoin/cryptocurrency is still somewhat difficult to adopt & use by the general public, I feel like it’s important to make the UX of moving away from single-factor (password) authentication as easy to use as possible if we want general adoption by the public.