blog

SEAN K.H. LIAO

webauthn

libraries:

config

AttestationPreference

read: yubico

If you want to be strict about the hardware provenance

prefer: no attestation

AuthenticatorAttachment

read: yubico

choose valid authenicator types

prefer: cross platform

RequireResidentKey

read: yubico

first factor / usernameless auth

limited space on keys

prefer: false

UserVerification

read: yubico

test for user identity: ask user for PIN, equivalent to password in MFA

prefer: discouraged when combined with username/password

wan, err := webauthn.New(&webauthn.Config{
  RPDisplayName:         "Display Name",
  RPID:                  "localhost",
  RPOrigin:              "http://localhost",
  AttestationPreference: protocol.PreferNoAttestation,
  AuthenticatorSelection: protocol.AuthenticatorSelection{
    AuthenticatorAttachment: protocol.CrossPlatform,
    RequireResidentKey:      Bool(false),
    UserVerification:        protocol.VerificationPreferred,
  },
})

handler

2 part registration / login flow, with duo-labs/webauthn

Registration
// Registration handler 1
ca, sd, err := wan.BeginRegistration(user)
// send ca to client
// save sd to session store

// Registration handler 2
cred, err := wan.FinishRegistration(user, sd, r)
Login
// Login handler 1
ca, sd, err := wan.BeginLogin(user)
// send ca to client
// save sd to session store

// Login handler 2
cred, err := wan.FinishLogin(user, sd, r)