Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For people confused about what this is: it's basically the de facto cross-browser standard for U2F security keys like Yubikeys.


More than that. Because it's an open standard it can be used with other types of authenticators, like password managers and platform-level security keys. There are also extensions allowing sites to prompt users for explicit authorization for a specific action. (e.g. "do you want to send $20 to xyz?")

In short, this could replace passwords for web authentication entirely.


If I'm not mistaken, the browsers themselves could act as "authenticators" and help people manage credentials in software.


Exactly. Authenticate with your Google account on chrome, iCloud account on safari, or Firefox account on Firefox.


So I like this concept based off what I can see (basically like a RSA or similar w/o the generated token, or rather having to enter said token manually). Question: Microsoft was pushing hard that they're going towards passwordless, and if memory serves, it was through the FIDO Alliance stuff. So how do we get there with this? I'm assuming this is supplemental to that (a "second factor"), but what else gets us there?


Web Authentication is part of FIDO2, which is what Microsoft is pushing. Whether you use it for passwordless login or second factor depends on what the server wants and what authenticator hardware the user has.


Can it also be used for SSH logins without much bending of the concepts?

And does it allow extensions, e.g. secure login through a smartwatch + NFC, and similar ideas?


Yes it can, I used U2F in CLI apps to sign HTTP requests: https://developers.yubico.com/U2F/Libraries/Using_a_library....

There is also pam-u2f: https://developers.yubico.com/pam-u2f/

and https://github.com/bluecmd/openssh-u2f (not in upstream)


Thanks, interesting subject. Are there any worthy DIY Yubikey-like tutorials out there?


The spec hasn't been finalized yet, IIRC, but you will be able to roll your own when it does, as it'll be an open protocol.


Is this like Client Certs without the connection to the SSL cert?

Oh, I guess client certs are owned and controlled by the server owner...


Sorta, Client Certs but the Client generates and authenticates them, the Server only stores the fingerprint and authenticates them on it's side.

And with a better UI and flow since you don't need it to establish connection.


Lack of sleep makes it a bad time for me to read this. But if the client generates the key does it mean it's stored on the browser or something like that? It means that I will need a sync/copy procedure if I'm going to use it in another machine/browser?


Essentially yes. You'll need something like Firefox Sync or providers will have to implement a way of adding devices.

However the WebAuthn API also leaves options for password managers and other endpoints managing the actual secrets.


Yeah, and a separate keypair is generated for each site.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: