commit: 48c1d2a3114031db8800726b9950cb7d161f1977
parent 4dd9f730bfea697675122162048e486030e305aa
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Wed, 29 Oct 2025 18:15:08 +0100
articles/webauthn-vs-interoperability: new
Diffstat:
4 files changed, 56 insertions(+), 0 deletions(-)
diff --git a/articles/webauthn-vs-interoperability.xml b/articles/webauthn-vs-interoperability.xml
@@ -0,0 +1,53 @@
+<entry>
+<title>WebAuthn vs. Interoperability</title>
+<link rel="alternate" type="text/html" href="https://hacktivis.me/articles/webauthn-vs-interoperability"/>
+<id>https://hacktivis.me/articles/webauthn-vs-interoperability</id>
+<published>2025-10-29T16:43:16Z</published>
+<updated>2025-10-29T16:43:16Z</updated>
+<!--
+<link rel="external replies" type="application/activity+json" href="https://queer.hacktivis.me/objects/50be9d37-dee6-4c69-818e-013fa3b010d0" />
+<link rel="external replies" type="text/html" href="https://queer.hacktivis.me/objects/50be9d37-dee6-4c69-818e-013fa3b010d0" />
+-->
+<content type="xhtml">
+<div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
+<p>
+ WebAuthn, also marketed as passkeys for a subset of it, is something
+ that seems rather scary to me from an interoperability perspective.
+</p>
+
+<p>
+ Not only it's a lock-in in terms of authenticators, it's also a lock-in to Chrome/Firefox/Safari.<br />
+ Wanted to use an alternative browser? Nope.<br />
+ And you can probably forget using it on embedded devices outside of Android/iOS.<br />
+ Wanted to authenticate to a service on your e-reader? Nope.
+</p>
+
+<p>
+ But there's also the issue of authenticating from non-browsers
+ such as native applications, granted a lot of them use OAuth tokens
+ or similar but there's a sort of bootstrapping problem in systems
+ where you don't have a full-blown mainstream browser.<br />
+ (And good luck copying the OAuth token from one device to another)
+</p>
+
+<p>
+ And the design of WebAuthn means you can't copy
+ the generated token into a text field, unlike
+ <a href="https://en.wikipedia.org/wiki/Time-based_one-time_password">TOTP</a>
+ (sometimes branded as things like Google Authenticator)
+ which has none of those issues while still allowing to use hardware tokens.
+</p>
+
+<p>
+ You could argue on usability, WebAuthn is likely friendlier
+ to most when you follow the intended path thanks to browser-integration.
+ But not due to the underlying WebAuthn properties which instead
+ causes problems, and ones that you're likely to discover the hard way:
+ Getting the authenticators you use revoked;
+ Not being able to authenticate on some devices;
+ Backups being harder;
+ …
+</p>
+</div>
+</content>
+</entry>
diff --git a/config.ninja b/config.ninja
@@ -30,3 +30,4 @@ build articles/no-noscript-element.html: article entry.xsl articles/no-noscript-
build articles/on-licensing.html: article entry.xsl articles/on-licensing.xml
build articles/self-hosting.html: article entry.xsl articles/self-hosting.xml
build articles/wasm-hype-wish.html: article entry.xsl articles/wasm-hype-wish.xml
+build articles/webauthn-vs-interoperability.html: article entry.xsl articles/webauthn-vs-interoperability.xml
diff --git a/feed.atom.in b/feed.atom.in
@@ -11,6 +11,7 @@
<updated>2025-10-06T17:40:29Z</updated>
<!-- new.sh: new articles here -->
+<xi:include href="articles/webauthn-vs-interoperability.xml"/>
<xi:include href="articles/lie-of-the-third-place.xml"/>
<xi:include href="articles/on-licensing.xml"/>
<xi:include href="articles/no-noscript-element.xml"/>
diff --git a/home.shtml b/home.shtml
@@ -13,6 +13,7 @@
<p>List of articles, newest first:</p>
<ol class="indexlist">
<!-- new.sh: new articles here -->
+ <li>2025-10-29: <a href="/articles/webauthn-vs-interoperability">WebAuthn vs. Interoperability</a></li>
<li>2025-10-06: <a href="/articles/lie-of-the-third-place">The lie of the "Third Place"</a></li>
<li>2025-09-17: <a href="/articles/on-licensing">On licensing, around hobbyist projects</a></li>
<li>2025-08-18: <a href="/articles/no-noscript-element">The <noscript> element as a trap</a></li>
