WebAuthn support

[shouze]

Please stick to one distinct feature request per issue where possible and raise additional feature quests as separate issues. Try to avoid adding feature requests to existing issues in the comments of issues raised by other users.

Summary of proposed feature
Since Safari 14 will support WebAuthn through Touch/FaceID this is a true game changer (like passwordless) in authentication domain. It's supported on Android too (since at least Android 7).

Purpose of proposed feature
Seamless mobile authentication with better pricacy control

Detail about proposed feature
more than 60% of mobile devices have a biometric hardware part.

Potential problems
Not sure yet, I've not familiar enough with WebAuthn & FIDO2.
Limitations are more on desktop platforms, should not be a good idea at the moment to expose this feature as very few computers get biometric hardware so it defaults to security keys that very few people owns. This probably imply device detection.

Describe any alternatives you've considered
Looks like there's a good repository to start about WebAuthn. And some js code available here.

Additional context

Please indicate if you are willing and able to help implement the proposed feature.
Yes for sure!

[balazsorban44]

@shouze I am reopening this issue, as we have some more capacity now. Just opened an RFC #1465 and I was wondering if that would fit under there? I am not totally familiar with how WebAuthn works just yet, so if you figured out more about it since this post, it would help a lot to determine how could we proceed with this feature request.

[gamedevsam]

I think WebAuth can only be enabled on an existing account, so it can be used for login, but not sign-up. Perhaps we use local storage to detect the presence of a biometric key and use that to enable the WebAuth option in the login form?

[bdewater]

It is a perfectly valid use case to sign up a new account with a new public key credential at the same time.

"Biometric key" is a bit broad, you could test for isUserVerifyingPlatformAuthenticatorAvailable()?

[balazsorban44]

I am still keeping this open, if anyone is interested in checking out what would be necessary from us.

[beaussan]

Hello, I found this issue and I found a blog post explaining how to setup WebAuthn with next auth, maybe this could be a nice base for the implementation ? Or at least link it in the documentation

disclaimer : I'm not the author of this post

https://dev.to/jsombie/password-less-authentication-in-nextjs-application-with-webauthn-and-nextauth-3mgl

[jasongitmail]

Might be worth looking at @passwordless-id/webauthn (Github; MIT license) to see what can be reused or integrated.

[tdack]

See PRs #8808 & #8809