Web Authentication API (a.k.a. WebAuthn) allows authentication using private-public key-pair (known as a credential) on your devices instead of passwords.
81% of all hacking-related breaches leverage stolen or weak passwords.
Password is a "shared secret", and often times, the same login/password combo is shared across multiple websites. If one of the sites does not follow the proper security--and you'll be surprised how many large (tech) companies used unencrypted plain-text passwords and got hacked--all your accounts could be at risk.
I am personally guilty of this un-secure practice. See the warnings from Google password manager from one of my dummy accounts! 29 compromised passwords from known hacks!
WebAuthn relies on the device HSM (hardware security module, responsible for encrypting and decrypting your keys), works really well with modern phones. And the Fortmatic approach is very similar, replacing your device HSM with the Amazon HSM service. The Fortmatic team also released the Magic Link, a passwordless login (similar to the login experience from Notion.)
Cryptocurrencies are built on top of blockchains. As the name "crypto" implies, it is based on cryptography. Blockchains rely on the private-public key-pair concepts to ensure security. Using blockchain in the backend for handling auth is a natural fit for this authentication approach.
Has any of IH developer tried Webauthn implementation? Would love to hear your approach to authentication.
Hey there!
We(www.ezid.io) are currently implementing this and can confirm it is a pain...
How is it coming along for you?
I've read about it and intend to implement it as a form of 2FA (I think GitHub allows this as one of their 2FA methods).
However, I've not implemented it yet.