4

Web Authentication relies on asymmetric encryption to do away with passwords and SMS 2-factor authentication.

Can it work across browsers? Must the user use the same browser on the same device where the private key resides? If the user were to clear the browser data or uninstall the browser, will the private key still remain?

paulsm4
  • 114,292
  • 17
  • 138
  • 190
Chong Lip Phang
  • 8,755
  • 5
  • 65
  • 100
  • 1
    "Web Authentication" is a generic term - it can mean many different things. [WebAuthn](https://webauthn.guide/) is a specific API/specification Q: You're referring to WebAuthn, correct? To answer your question: WebAuth relies on [Navigator.credentials](https://developer.mozilla.org/en-US/docs/Web/API/Navigator/credentials), which is per-browser. – paulsm4 Nov 07 '20 at 23:12
  • If you sync your browser/account then yes navigator.credentials are synced too – Lawrence Cherone Nov 07 '20 at 23:15
  • Yes, I am referring to WebAuth. Hmm...So I guess, after all, it can't fully replace password systems. – Chong Lip Phang Nov 07 '20 at 23:25

1 Answers1

4

Can it work across browsers?

Yes. This API is available for most used browsers.

Must the user use the same browser on the same device where the private key resides?

The private key is stored into the authenticator, not into the browser. For the device, there are 2 cases:

  • The authenticator is a roaming one i.e. a device you can have in your pocket/bag and that interacts using USB, NFC or Bluetooth: you can use in on any device that provides the correct interface.

  • The authenticator is a platform one i.e. it is embeded onto the device (power button with fingerprint reader, Android device…): you must use that device (no matter which browser you use)

If the user were to clear the browser data or uninstall the browser, will the private key still remain?

As said in the previous answer, nothing is stored in the browser. The private keys are stored into the authenticator.

Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
  • 4
    For touch ID in particular, it's a bit more complicated. Chromium's touch ID implementation relies on a key that's associated to a user's chromium profile, so other browsers wouldn't be able to see touch id credentials. In fact, the credential isn't even shared among different in-browser profiles. – Nina Satragno Nov 30 '20 at 17:01
  • @NinaSatragno You aroused my curiosité. Do you have a source that could help me to understand that point? – Spomky-Labs Nov 30 '20 at 17:38
  • 1
    Yes, take a look here https://source.chromium.org/chromium/chromium/src/+/master:device/fido/mac/authenticator_config.h;l=21-25;drc=dc479516dca64e330091b5bb88770955e5f0577f. You can follow around `metadata_secret` in the code. More context at crbug.com/1139568 – Nina Satragno Nov 30 '20 at 22:17
  • For clarity: it is true that "The private key is stored into the authenticator", BUT what that means in practice depends on what exactly "the authenticator" is. It could be a separate, dedicated USB device (called "roaming authenticator" in the spec), in which case yeah, everything is stored on the USB device and not in the browser. But the "authenticator" could also be built into the browser or operating system (called "platform authenticator" in the spec), in which case the key is likely not quite as portable. – Emil Lundberg Feb 18 '22 at 08:45