Meteor Login using WebAuthn API

Has anyone worked out how to integrate the Webauthn API as a passwordless login mechanism for Meteor? This would allow users to login using Windows Hello, TouchID, a Yubikey, etc. The code to register and authenticate users is fairly straightforward, but I don’t know how to let Meteor know the user is now authenticated? Any thoughts on how this could be done?

There’s a nice WebAuthn demo here: https://webauthn.io/

2 Likes

We use a combination of this

And Meteor’s accounts api

1 Like

@rjdavid , thanks for the response. However, I don’t see any Meteor Accounts method to login the user that doesn’t require a username/password combo, an emailed token, or an oAuth integration. How did you go from successfully authenticating a user using WebAuthn to logging that user into their Meteor account?

Ah! It looks like I need to use the undocumented Accounts.registerLoginHandler

Good point that Accounts.registerLoginHandler() is not in the documentation :thinking:

1 Like

Hey! I’ll add that to our backlog, Thanks for letting us know

Any updates on this? Maybe someone already implemented it in custom meteor package?

1 Like

Added an issue to the core: Accounts.registerLoginHandler is still undocumented · Issue #12189 · meteor/meteor · GitHub

2 Likes

Usability is now improved with the implementation of passkeys in chrome


The desktop to mobile authentication is very powerful



1 Like

Anyone move exclusively to using WebAuthn? Seems like this is the way to go for a new project.

I have WebAuthn working, but until passkeys that can be shared across platforms become more widely available/adopted, most implementations tie the authentication to a single device which requires alternate authentication options. (e.g. I replaced my laptop/phone and now I can’t login). Have a look at my issue trying to support multiple MFA authentication methods in my Meteor app.

The WebAuthn API also has an awkward user workflow when trying to register ‘platform’ vs ‘cross-platform’ authentication methods on the same PC. e.g. I have “Windows Hello” and a YubiKey and it seems to always want to default to “platform” (Windows Hello) first and only presenting the YubiKey as an option if I cancel the Windows Hello dialog. In other words, the API appears to force a requirement to first ask the question “Do you want to register a ‘platform’ authenticator or a ‘cross-platform’ authenticator?” which of course needs to be explained what the differences are. I can’t seem to find a way to show all of the detected authenticators (platform & cross-platform) so that the user can choose one.

1 Like

Here are my learnings since implementing passkeys in our apps:

  1. Users who use hardware keys (e.g. Yubikey) are used to use “Try another option” when presented with 2fa authentication
  2. When saving the user’s credentials, save the credential “device type” used by the user. After the first successful login of the user, you can save a user’s reference in the browser and use that reference the next time he tries to login again. Then use the saved credential device type when prompting for authentication so the correct authentication type will be displayed to the user
1 Like

All our internal tools, like the admin panel and CRM, are now only accessible through passkeys. I am hoping that next year, we will be ready to remove passwords from our user-facing apps (as of now, we are just prompting our users to save a passkey when the device supports it)

1 Like

Yes, once the authenticator is registered, the workflow for the user to verify their authentication request works great. I can present all the ‘platform’ and ‘cross-platform’ authenticators they’ve registered for them to choose one (or simply automatically try using the last authenticator they used, or initially try the authenticator they set as the default). It’s the initial registration of the authenticators that is awkward and requires an additional step and explanation. It’d be fine in a corporate or closed environment (of techies), but ends up being confusing for much of the general public to understand.

In a similar way that Bitcoin/cryptocurrency is still somewhat difficult to adopt & use by the general public, I feel like it’s important to make the UX of moving away from single-factor (password) authentication as easy to use as possible if we want general adoption by the public.

is anyone able to share some boilerplate code?

1 Like

Check this: https://simplewebauthn.dev/

Which also requires knowledge how to do custom login with meteor: Accounts (multi-server) | Meteor API Docs

Yes, i saw those links. I’ve implemented a couple oauth providers but doing it with the basepackage is new to me, this is why I asked for as snippet.

Edit the simplewebauthn lib also requires node 16+

I have it on my bucket list to do as an official Meteor package, or at least lobby for one. :wink:
@nachocodoner @grubba

3 Likes

I’m working on an example i wanted to turn into a metero guide. Got all the bits in place, just need to apply some styling and polish things.

I decided against a package as webauthn itself is not a standalone, or well very sufficent signup expirience, authentication solution, more like an add-on login helper.

2 Likes