logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/

webauthn-vs-interoperability.xml (2331B)

    

  1. <!--
  2. Copyright © 2014 Haelwenn (lanodan) Monnier
  3. SPDX-License-Identifier: LAL-1.3
  4. -->
  5. <entry>
  6. <title>WebAuthn vs. Interoperability</title>
  7. <link rel="alternate" type="text/html" href="https://hacktivis.me/articles/webauthn-vs-interoperability"/>
  8. <id>https://hacktivis.me/articles/webauthn-vs-interoperability</id>
  9. <published>2025-10-29T16:43:16Z</published>
  10. <updated>2025-10-29T16:43:16Z</updated>
  11. <link rel="external replies" type="application/activity+json" href="https://queer.hacktivis.me/objects/ad12e048-a5a2-435f-85fa-100e7481b547" />
  12. <link rel="external replies" type="text/html" href="https://queer.hacktivis.me/objects/ad12e048-a5a2-435f-85fa-100e7481b547" />
  13. <content type="xhtml">
  14. <div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
  15. <p>
  16. 	WebAuthn, also marketed as passkeys for a subset of it, is something
  17. 	that seems rather scary to me from an interoperability perspective.
  18. </p>
  20. <p>
  21. 	Not only it's a lock-in in terms of authenticators, it's also a lock-in to Chrome/Firefox/Safari.<br />
  22. 	Wanted to use an alternative browser?  Nope.<br />
  23. 	And you can probably forget using it on embedded devices outside of Android/iOS.<br />
  24. 	Wanted to authenticate to a service on your e-reader?  Nope.
  25. </p>
  27. <p>
  28. 	But there's also the issue of authenticating from non-browsers
  29. 	such as native applications, granted a lot of them use OAuth tokens
  30. 	or similar but there's a sort of bootstrapping problem in systems
  31. 	where you don't have a full-blown mainstream browser.<br />
  32. 	(And good luck copying the OAuth token from one device to another)
  33. </p>
  35. <p>
  36. 	And the design of WebAuthn means you can't copy
  37. 	the generated token into a text field, unlike
  38. 	<a href="https://en.wikipedia.org/wiki/Time-based_one-time_password">TOTP</a>
  39. 	(sometimes branded as things like Google Authenticator)
  40. 	which has none of those issues while still allowing to use hardware tokens.
  41. </p>
  43. <p>
  44. 	You could argue on usability, WebAuthn is likely friendlier
  45. 	to most when you follow the intended path thanks to browser-integration.
  46. 	But not due to the underlying WebAuthn properties which instead
  47. 	causes problems, and ones that you're likely to discover the hard way:
  48. 	Getting the authenticators you use revoked;
  49. 	Not being able to authenticate on some devices;
  50. 	Backups being harder;
  52. </p>
  53. </div>
  54. </content>
  55. </entry>