Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).
How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.
@tbroyer@hertg Hello, one of the maintainers of passkeys.dev here 👋
You're correct that "preferred" can sometimes mean UV is not performed during auth, and that it is indeed single-factor auth if the user isn't also verified. It's a trade off an RP can make between user experience and security, and here's a scenario demonstrating that:
On macOS, when a user's device is in clamshell mode (closed but connected to external KB+M and monitor) they can't use Touch ID. If UV is "required" during auth then these users must always enter their local system password on the typical OS "use Touch ID" prompt instead. If UV is "preferred" then the OS skips this password prompt instead, and UV would return "false" in the response.
If the MacBook is open, then for the same "preferred" option the user would tap Touch ID and UV would be "true" in the response.
For "passwordless" authentication it can seem weird to laypeople that "a password is still required to log in." Is it worth sacrificing consistent multi-factor authentication to streamline login for users without an available biometric sensor? That depends entirely on your security modeling.
I would suggest it's okay to go with "preferred" and occasionally be okay with UV coming back false when you recognize the access device. If needed you can always step up to "required", for example when the user appears to be logging in from a new device, or for other privileged operations within your system.
Add comment