webauthn

first look at webauthn server side

webauthn

libraries:

• duo-labs/webauthn
• koesie10/webauthn

config

AttestationPreference

read: yubico

If you want to be strict about the hardware provenance

prefer: no attestation

• protocol.PreferNoAttestation
• protocol.PreferIndirectAttestation
• protocol.PreferDirectAttestation

AuthenticatorAttachment

read: yubico

choose valid authenicator types

prefer: cross platform

• protocol.CrossPlatform: security key
• protocol.Platform: TPM

RequireResidentKey

read: yubico

first factor / usernameless auth

limited space on keys

prefer: false

UserVerification

read: yubico

test for user identity: ask user for PIN, equivalent to password in MFA

prefer: discouraged when combined with username/password

• protocol.VerificationRequired:
• protocol.VerificationPreferred:
• protocol.VerificationDiscouraged:

 1wan, err := webauthn.New(&webauthn.Config{
 2  RPDisplayName:         "Display Name",
 3  RPID:                  "localhost",
 4  RPOrigin:              "http://localhost",
 5  AttestationPreference: protocol.PreferNoAttestation,
 6  AuthenticatorSelection: protocol.AuthenticatorSelection{
 7    AuthenticatorAttachment: protocol.CrossPlatform,
 8    RequireResidentKey:      Bool(false),
 9    UserVerification:        protocol.VerificationPreferred,
10  },
11})

handler

2 part registration / login flow, with duo-labs/webauthn

• part 1: send random data to client
• part 2: verify

Registration

1// Registration handler 1
2ca, sd, err := wan.BeginRegistration(user)
3// send ca to client
4// save sd to session store
5
6// Registration handler 2
7cred, err := wan.FinishRegistration(user, sd, r)

Login

1// Login handler 1
2ca, sd, err := wan.BeginLogin(user)
3// send ca to client
4// save sd to session store
5
6// Login handler 2
7cred, err := wan.FinishLogin(user, sd, r)