The many faces of WebAuthn

WebAuthn is a technology that allows using secure public-key authentication for a second factor, in web browsers.

It supports storing these credentials in a few places. On Windows, the Windows Hello API is used to store data securely on the operating system, or on a hardware key.

On macOS, relevant APIs are used, including Touch ID, and on Linux, each implementation can do as it chooses - usually supporting FIDO2 keys and PC Smart Cards.

Mobile devices often tend to include a built-in FIDO2 key, and while your phone will likely let you use a hardware key anyway, like a Yubikey, you may be offered to just authenticate with your fingerprint on iOS and Android.

As such, there are very differing user experiences of how using WebAuthn looks and feels on different browsers and operating systems.

I aim to include a view of all of these, just because I think it’s interesting.

I will first test registering and authenticating on webauthn.io, as this shows the full signing up and signing in experience.

Second, I will show me authenticating with Bitwarden to show a real world test case, and to show what signing in without a PIN looks like.

Windows 10 / Firefox

Under Windows, Firefox uses Windows Hello, so you get a very Windows looking prompt asking you to sign in. It supports (and requires if it can) setting a PIN, and while I cannot test it on my pc, should support fingerprints etc.

First up, registering!

Windows asks for my Yubikey’s PIN, then to touch my key.

Now, signing in:

Finally, this is all I got on Bitwarden:

Windows 10 / Edge

I chose to test Edge as it is Chromium based and comes with Windows.

The UI I was given was basically the same as Chromium under Linux, and interestingly on registering, it presented me with a QR code to scan (my iPhone did not recognise this code as useful):

But after clicking back to see a page almost identical to the first image from Linux Chromium (see below), but with more Microsoft styling, and choosing to use a hardware key, I was dropped straight back into Windows Hello, so I didn’t bother with any more testing.

Linux / Chromium

Chromium has full WebAuthn support built in, including multiple devices and authenticator PINs.

First - registering:

And signing in:

Finally, Bitwarden:

Linux / Firefox

Now, Firefox on Linux and macOS has to use its own implementation of WebAuthn, and it’s not really as complete as some other implementations.

This includes no support for PINs, a more basic UI, and no support for Apple Touch ID.

Here’s what registering looks like:

And logging in is the same on webauthn.io and Bitwarden due to lack of PIN:

I personally quite like this UI - it follows the browser theme, it’s unobtrusive, and, almost uniquely, requires no extra interaction to use, just touch your key and go!

If your security key requires a PIN though, you will hit issues.

macOS Ventura / Safari

Time to fire up my macOS virtual machine!:

So I had issues testing Safari, as it has severe rendering bugs (website elements or even entire sites just go white) in my macOS virtual machine, so I couldn’t test webauthn.io.

I did manage to sign in to Bitwarden blind though! (Well, I didn’t sign in because I didn’t pass my key through, but I got the UI up.)

macOS Ventura / Firefox

On macOS, perhaps unsurprisingly, it uses the same UI as on Linux, its own implementation.

I hear that Firefox 113.0 beta improves FIDO2 USB support on Linux and macOS (source), so perhaps maybe soon?

macOS Ventura / Chromium

Interestingly, Chromium also used its own UI under macOS - seems they only share UIs on Windows.

It did, however, prompt to use a passkey (I’ve never interacted with passkeys before this!), and offered to turn on Bluetooth before anything else, which was new.

iOS (14)

On iOS, you get a consistent prompt - hold your NFC key near the top of your phone or activate your lightning key, enter a PIN if necessary, and you’re done!

Registering:

Signing in:

And Bitwarden:

Conclusion

idk there you go that’s all of them

This is a really lazy blog post but hopefully it’s fine.

Hope to cya back here soon
— Yellowsink

QUIET SYSTEM YELLOWSINK @ UWUNET 2023-04-13