Hi @grzuy that's correct - we've been in touch Yubico about a couple of things and among others they recommended we require attestation during our registration flow. I've asked them why since they don't publish to the FIDO MDS, to my knowledge to don't even self-publish metadata. Best I could find was https://developers.yubico.com/U2F/Attestation_and_Metadata/ for U2F. Long story short, as long as we employ WebAuthn for 2FA only we don't see the added value at Shopify, but for a potential usernameless & passwordless flow we see the potential for metadata to safeguard users from compromised authenticators similar to HaveIBeenPwned for passwords. I haven't heard back from them yet, but at the moment the MDS does not feels not very useful.
SoloKeys self publishes over at https://github.com/solokeys/solo/tree/master/metadata - according to solokeys/solo#89 publishing on the MDS was too expensive for them, but that can't be a problem for Yubico
also finished extracting the metadata client: https://github.com/bdewater/fido_metadata
This is awesome :rocket: !!!!
Nice, we were actually talking about that yesterday with Gonzalo :muscle: I think he saw it on Twitter yesterday
This is awesome!
haha! good luck :D
Thank you very much! It went well. We got lot of positive feedback.
People gets excited about WebAuthn which is cool.
Yes, I would like this to work in hand with an admin account. The idea is that I would first sign in with username and password, followed by inserting a Yubikey as a multifactor sign in process.
Now I did have this originally using devise-u2f gem, but since Microsoft only allowed Webauthn authentication through Windows 10, I've been forced to look at different solutions. I did email the guy who was running the devise-webauthn gem if he had a working version. However, he said he was caught up with other projects that he didn't know when he would get around to it. Which was what lead me to the webauthn-ruby gem since you guys had a really cool working demo.
Hi @callags ,
There a bunch of WebAuthn tutorials in https://github.com/herrjemand/awesome-webauthn#resources. From that you can learn how WebAuthn works, what goes on the frontend and on the backend. Once you're ready to code the backend side, you can see https://github.com/cedarcode/webauthn-rails-demo-app to have as a reference implementation.
In one of the PRs for attestation I argued for being able to inject Time objects as a dependency so you could easily later re-verify attestation statements to see if authenticators are still reliable. Today I saw an article about Intel TPM flaws which illustrate why I feel it's a legit use case that ought to be supported :) https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html
doesn't need to be part of #304 which big enough as it is I think. Trying to find some time soon to test it by resurrecting https://github.com/cedarcode/webauthn-rails-demo-app/pull/113/