Yes, I would like this to work in hand with an admin account. The idea is that I would first sign in with username and password, followed by inserting a Yubikey as a multifactor sign in process.
Now I did have this originally using devise-u2f gem, but since Microsoft only allowed Webauthn authentication through Windows 10, I've been forced to look at different solutions. I did email the guy who was running the devise-webauthn gem if he had a working version. However, he said he was caught up with other projects that he didn't know when he would get around to it. Which was what lead me to the webauthn-ruby gem since you guys had a really cool working demo.
Hi @callags ,
There a bunch of WebAuthn tutorials in https://github.com/herrjemand/awesome-webauthn#resources. From that you can learn how WebAuthn works, what goes on the frontend and on the backend. Once you're ready to code the backend side, you can see https://github.com/cedarcode/webauthn-rails-demo-app to have as a reference implementation.
In one of the PRs for attestation I argued for being able to inject Time objects as a dependency so you could easily later re-verify attestation statements to see if authenticators are still reliable. Today I saw an article about Intel TPM flaws which illustrate why I feel it's a legit use case that ought to be supported :) https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html
doesn't need to be part of #304 which big enough as it is I think. Trying to find some time soon to test it by resurrecting https://github.com/cedarcode/webauthn-rails-demo-app/pull/113/
congrats in finalizing the MDS work Gonzalo! have you submitted the test results using the conformance tool? :)
hope y'all are staying safe in these weird times
Hi @bdewater Congrats to you too! I practically recycled what your implementation and adapted it to
master! :-) Haven't submitted yet
I have been playing around for the new RelyingParty based model in the context of the PR we have open. I wrote a functional test to see the different usages we might have with the new interface and the transition we would go through as well as folks staying on the old interface (the one in the README, not an older one :smile: ).
Showing it here to get early feedback and bc I don't have a PR open for it as I'm waiting on the SignatureVerifier removal to get in for the main topic branch.
some interesting notes on the caBLE proposal to make Android phones usable as an authenticator for laptops/desktops: https://github.com/w3c/webauthn/issues/1381#issuecomment-624808667
Interesting. This would allow much more flexibility specially for desktops computers and people that want to rely on their phones instead of security keys. Hope they make progress there! Given we're usually on laptops with fingerprints and sec. keys, etc I haven't put much thought about desktop computers and how limited they probably are to use only keys... Thanks for sharing!
Hey folks ! It's been a while!
After almost a year in 3.0.0.alpha1 and several issues/pulls from people using multiple RPs I think it's time to finally release an oficial 3.0.0 while keep a 2-stable release to keep adding features/fixes to latest version of 2.X. I think that having a 3-dev branch for it was fine but as we add more features, if we don't have it in master, we're gonna have a hard time keeping up the development that consider the RelyingParty API in v3. Specially those that involve things in the configuration.
We didn't get any feedback about the new API, but we know that people that created issues didn't complain about it neither.
Anyways, open for feedback and thoughts from our small community. If I don't hear any concerns in the future week/s my plan is to proceed on releasing it.
Thank you in advance!