0

I am developing a Saas application, that implements the 2 Factor Authentication feature, using hardware keys (Yubikey, Titan Key), using WebAuthn/U2F protocol. The feature is working well for registering and authenticating in web version. However, my application have also a mobile version, a desktop application, and browser extensions. If i register the key using the web version, i am not able to authenticate in other versions.

I think the problem is because when registering the key is registered using the domain name of the web version, and the verification fails when i uses other versions, because it is not the same domain name.

For example: my key is register with the domain name is example.com, and when logging in from the chrome extension the domain is chrome-extension.

How i can solve this issue, or how i can do the authentication from different forms of the same application.

Zohra
  • 49
  • 1
  • 7

1 Answers1

1

WebAuthn credentials are scoped to an RP ID. A website, www.example.com can use the RP IDs www.example.com and example.com. (Roughly you can remove labels from the left of the domain, but not as far as an effective TLD, so no RP ID of com.)

Mobile apps can use any RP ID, but the domain has to authorise them by listing them in a file in /.well-known/. (The details differ between Android and iOS.)

Chrome extensions can only use the chrome-extension:… RP ID, however. You aren't the first to ask about whether that can be extended, and the Web Extensions CG might end up defining something, but there's nothing currently I'm afraid.

agl
  • 1,129
  • 5
  • 6
  • Thank you so much. Yes apparently there is no solution. The key should be authenticated from the same platform it was registered. Should have another verification mode for other devices. – Zohra Aug 21 '23 at 08:28