Automatic authentication in desktop browser with WebAuthn

Question

At the Google I/O '18 a demo was shown in which a user authenticates at PayPal by just providing a fingerprint (see YouTube 24:40). This was done in a browser running on a Smartphone which has a fingerprint sensor and requires the browser to implement the WebAuthn standard. The fingerprint unlocks the private key which is used for a challenge-response authentication and which is stored on an authenticator.

As far as I understood user interaction (i.e. asking for a fingerprint) can be disabled by setting the userVerification argument to discouraged (see w3.org). The user will be logged in automatically.

Can this flow also be implemented on a desktop browser without any extra hardware? Is there a default authenticator implemented in the browsers which could be used for that?

Concretely, I would like to do this:

register a public/private key pair in the desktop browser via WebAuthn so that the private key cannot be accessed via JavaScript (e.g. to mitigate XSS attacks)
every time data is send to a server sign that data via the WebAuthn API with the private key stored in the "default" authenticator without requiring user interaction

My password manager logs me in automatically to PayPal on my desktop browser. — schroeder, Sep 16 '18 at 22:17
I think this is far more or a programmign question than a security question since you are looking to manipulate WebAuthn — schroeder, Sep 16 '18 at 22:18

score 1 · Answer 1 · answered Sep 16 '18 at 22:27

1

Can this flow also be implemented on a desktop browser without any extra hardware? Is there a default authenticator implemented in the browsers which could be used for that?

Chrome and probably most browsers can generate a public-private key pair and use it for authentication. However, the security of this key without being protected by a dedicated hardware as in the case of the phone is very dubious at best.

The preferred solution would be to use an USB token such as YubiKey. Most of these do require interaction, namely pressing a button on the token, to prevent malware from using it without the users knowledge, but you may be able to find one that does not, or alternatively you may be able to find one that allows you to modify its firmware and disable this requirement.

answered Sep 16 '18 at 22:27

Peter Harmann

230
3
9

Can Chrome manage key pairs without AddOns? Firefox can not. Well, most browsers is misleading. On desktop only Firefox and Chrome support WebAuthn and only Mobile Chrome. – Markus Oct 13 '18 at 20:05
Chrome70 now supports publicKey authenticators like biometry sensors on mobile phones and laptops. – Spock Oct 18 '18 at 08:29
@Spock how? I couldn't find that feature. – cslotty Jan 07 '19 at 16:25
@cslotty I'm sorry I just saw your question now. Look up WebAuthn, I have implemented fingerprint/face unlock authentication on our company website and it works wonderfully. – Spock Jan 19 '19 at 09:53
@Spock I have read pretty much anything that can be found on WebAuthN! :-) But it seemed that Chrome only supported USB keys. Now you're telling me fingerprints etc work - so I'll give it a try - thanks. – cslotty Jan 21 '19 at 16:51
What about without hardware, including fingerprint readers? We store client side credentials all the time (Session IDs, Refresh Tokens, Credential Manager). Even a software backed Private Key Signing is better than a Javascript accessible Shared Secret. – NewEndian Jun 24 '19 at 12:57

Automatic authentication in desktop browser with WebAuthn

1 Answers1