Passkey support, our third passwordless developer option, has arrived for ODD SDK.
What are Passkeys?
WebAuthn API, or Passkeys, is a user authentication system that replaces passwords using cryptography. We'll dive more into passkeys, how they work, and how they differ from other passwordless options in this blog post, but first, let's review why developers should consider building passwordless apps.
The Benefits of Going Passwordless
There are several benefits to going passwordless for both users and developers.
1) Improved Security - This is a biggy! Machine learning is getting better at cracking passwords, and phishing attempts have gotten more sophisticated. Even the savviest users can fall prey to professional hackers. Data leaks jeopardize the exposed passwords and any accounts where users have re-used that password. App creators must have tight security when creating databases to store user passwords - the GDPR risks are enough to keep anyone up at night.
Passkeys cannot be guessed, and they are end-to-end encrypted. Phishing apps or websites created to steal users' keys won't work (unlike blockchain wallet keys) because these keys are inextricably linked to the user's device and verified by a special token (which we'll expand on in this post shortly).
2) Better User Experience - Unless a user has a subscription to a password manager (and even those can get compromised), they have to either write down or memorize all their passwords. When they inevitably forget their password, they must go through an account recovery process that can be frustrating when the user is short on time.
Fission's Passwordless Options
App developers using ODD SDK currently have two passwordless options - WebCrypto API and WalletAuth.
WebCrypto API gives the browser fairly low-level cryptographic building blocks, which include encryption and signatures. A user's private key is stored in their browser, and no one, not even the user, can extricate it. If they created their account on their laptop and want to access it on their mobile phone, they have to link their devices to do so (this is a simple process using the AWAKE protocol, also part of ODD SDK).
The upsides of WebCrypto API - it's highly secure and user-friendly. There are many tools built into it for developers to use. The downside - developers need to know what they want to build ahead of time. It's like getting a box of LEGO but no directions.
WalletAuth allows developers to integrate the Metamask browser extension wallet for user sign-in. When users connect to an ODD SDK app, they can access on-chain data as usual, as well as encrypted off-chain data storage features.
The upside - it's great for Web3 dapps and Web3 users who are comfortable with blockchain wallets and want to seamlessly work with both on and off-chain data. The downside - users who are not Web3 savvy will be very intimidated by this type of login option.
Under the Hood
At the beginning of this article, we learned that WebAuthn is a user authentication system that replaces passwords using cryptography. Instead of using a username and password, the user authenticates with a key stored on their device and signs some unique data with that key.
The unique data is divided into two parts: Client Data and Authenticator Data. Client Data includes contextual information about the WebAuthn Relying Party and the WebAuthn Client. Authenticator Data includes contextual information that derives its trustworthiness from the WebAuthn Relying Party's assessment of the security of the authenticator.
In other words, the unique data seeks to understand the relationship between the app (or specifically, the WebAuthn Relying Party who created the app) and the user (specifically, the user agent - i.e. the browser or mobile app they are using) and determines whether the app can securely verify the user. On both sides, there is a layer of abstraction to ensure privacy and trustworthiness.
After the user signs the unique data, they embed that signature and unique data into a Public Key Credential. It uses the FIDO standard and is a container just like JWT that formats the public key, signature, and unique data in a specific way according to the spec.
Passkeys in Action
Fission engineer Hugo Dias has spent months diving deep into the passkeys spec, learning what works across browsers and operating systems. As a result, he's put together a passkeys library that developers can use to add passkeys support to their ODD apps.
Hugo has created two demos to demonstrate passkey syncing and sharing.
This first video shows passkeys syncing across devices with Google Password Manager. Using the Android emulator, we visit https://passkeys.fission.app (the version on Hugo's personal domain hugodias.me) and create a new user with a passkey-based login.
The user is now logged in on Android and can upload and access files.
Switching to Google Password Manager, we see that the passkey for hugodias.me has been saved and synced.
We can now switch to a desktop browser, visit the same app, and get a prompt to use a saved passkey. A pin is used to unlock.
Once logged in, we can see that the picture uploaded on mobile is accessible on a desktop web browser, synced through user WNFS files.
This second video demonstrates navigating to https://passkeys.fission.app using the Android Mobile emulator. hugo-sharing is logged in.
The website is a progressive web app that is installable on Android, so “Install app” is chosen from the Android Chrome browser menu.
Once installed, the ODD logo appears on the home screen. After launching, we see that hugo-sharing is still logged in, as it uses the same context as the website version.
Switching to the Google Photos app, the Android share function is used. Selecting the installed ODD app uploads the photo into the user’s WNFS.
The share button again uses Android native share functionality, and we can share from the installed ODD PWA app over to WhatsApp (or any other Android app).
View the GitHub source notes for more information on these features.
You can start developing with passkeys in ODD SDK today. Visit the ODD SDK Passkeys repo to get started.