logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/

webauthn-vs-interoperability.xml (2244B)

    

  1. <entry>
  2. <title>WebAuthn vs. Interoperability</title>
  3. <link rel="alternate" type="text/html" href="https://hacktivis.me/articles/webauthn-vs-interoperability"/>
  4. <id>https://hacktivis.me/articles/webauthn-vs-interoperability</id>
  5. <published>2025-10-29T16:43:16Z</published>
  6. <updated>2025-10-29T16:43:16Z</updated>
  7. <link rel="external replies" type="application/activity+json" href="https://queer.hacktivis.me/objects/ad12e048-a5a2-435f-85fa-100e7481b547" />
  8. <link rel="external replies" type="text/html" href="https://queer.hacktivis.me/objects/ad12e048-a5a2-435f-85fa-100e7481b547" />
  9. <content type="xhtml">
  10. <div xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
  11. <p>
  12. 	WebAuthn, also marketed as passkeys for a subset of it, is something
  13. 	that seems rather scary to me from an interoperability perspective.
  14. </p>
  16. <p>
  17. 	Not only it's a lock-in in terms of authenticators, it's also a lock-in to Chrome/Firefox/Safari.<br />
  18. 	Wanted to use an alternative browser?  Nope.<br />
  19. 	And you can probably forget using it on embedded devices outside of Android/iOS.<br />
  20. 	Wanted to authenticate to a service on your e-reader?  Nope.
  21. </p>
  23. <p>
  24. 	But there's also the issue of authenticating from non-browsers
  25. 	such as native applications, granted a lot of them use OAuth tokens
  26. 	or similar but there's a sort of bootstrapping problem in systems
  27. 	where you don't have a full-blown mainstream browser.<br />
  28. 	(And good luck copying the OAuth token from one device to another)
  29. </p>
  31. <p>
  32. 	And the design of WebAuthn means you can't copy
  33. 	the generated token into a text field, unlike
  34. 	<a href="https://en.wikipedia.org/wiki/Time-based_one-time_password">TOTP</a>
  35. 	(sometimes branded as things like Google Authenticator)
  36. 	which has none of those issues while still allowing to use hardware tokens.
  37. </p>
  39. <p>
  40. 	You could argue on usability, WebAuthn is likely friendlier
  41. 	to most when you follow the intended path thanks to browser-integration.
  42. 	But not due to the underlying WebAuthn properties which instead
  43. 	causes problems, and ones that you're likely to discover the hard way:
  44. 	Getting the authenticators you use revoked;
  45. 	Not being able to authenticate on some devices;
  46. 	Backups being harder;
  48. </p>
  49. </div>
  50. </content>
  51. </entry>