What's the story here regarding software tokens? As I understand it, the WebAuthn standard doesn't preclude non-hardware tokens, but doesn't explicitly define support for it either. In particular, I would like to use my phone and its built-in Titan M chip for WebAuthn authentication over the internet, instead of using a hardware token. Is that possible or on the horizon?
Go to https://webauthn.io on your phone and it will ask for your pin or fingerprint and then use the titan chip for the handshake! If it doesn't work. Select "Platform authenticator" in the drop down
Will also work on iOS 13 beta.
If your computer has a TPM 2.0 chip then it will also work on Microsoft Edge in Windows 10 (and maybe also other browsers. If they implement webauthb Microsoft Hello API )
Thanks for the info. This is not really 2FA anymore though, is it? Now WebAuthn authentication is happening on the same device as the one I'm using to log into the service. Is there a way to use my phone as a completely separate factor for WebAuthn authentication?
Webauthn is not a 2fa API. It's an authentication API. One of its usecases is to enhance password login (2fa) but can also be used as a single factor.
That is up to the implementor.
The implementor can ask the browser for certain security features of the authentication device. E.g. is the authentication device the same device as where the authentication flow is happening; is there a biometric check on the device or a pin on the device (i.e. the second factor is there but device-local) who is the manufacturer of the device (with consent of the user; given this is privacy-sensirive info) etc. And the implementor can then make a decision whether a device is 'strong' enough for single factor auth. All this information is cryptographically attested by the device.
You can ignore all that and only use it as a second factor always though. That's totally up to you and how you use the authentication primitives that webauthn provides.
I read that iOS 13.3 supports using a hardware token with WebAuthN. It doesn’t say you can just use TouchID to login without a separate WebAuth token....
> Currently, the WebAuthn second-factor use case (the FIDO U2F user experience) is the only log in flow that is supported. Security key-based biometrics or PIN (without the use of username and password) are not supported yet.
But webauthn.io and webauthn.guide are both copyright of Duo Labs and so is the library so I guess they can do whatever they want ;) I assume the two websites and the library are by the same author
Also the library lives on the server side ; not client ; and given the license is not AGPL there is no need to state that they're using it either.
(Edit: original comment was accusing me of copyright infringement for some reason)
