Passkeys support

[tcannonfodder]

Hey there!

With the move towards passkeys (through the FIDO Alliance, Apple's OS updates, Windows Hello, etc.); I think it would be extremely useful for the larger Ruby community to have Devise support passkeys instead of passwords as an authentication method.

After some initial scanning of the Devise & Omniauth wiki, it feels like passkeys support should be baked into Devise itself; because it explicitly replaces passwords. Getting some guidance on how we should move forward would be invaluable.

Passkeys replace passwords (or alternatively: passkeys replace the mechanism of password exchange)

Unlike Shibboleth, SAML, OAuth, etc.; you're not using an external identity to verify a user, the browser & server exchange a public/private keypair instead of asking the user to generate & remember a password. So it doesn't necessarily fit as an Omniauth strategy.

Passkeys replace multi-factor authentication flows (or alternatively: passkeys use MFA by default)

Unlike the multi-factor extensions listed in the wiki, passkeys replace multi-factor authentication extensions because multi-factor authentication is baked into the passkey exchange ceremony (especially with the userVerification: required flag).

Some relevant links:

• https://fidoalliance.org/passkeys/#faq
• https://webauthn.io
• https://webauthn.guide
• https://github.com/CiTroNaK/webauthn-with-devise/tree/3-passwordless
• https://github.com/cedarcode/webauthn-ruby

Passkeys still use a lot of Devise's features

Since passkeys are simply a replacement for the password mechanism, an app that wants to use passkeys would still ideally want to use the 10 modules listed in devise's feature summary (just tailored for registering passkeys instead of passwords).

---

How would we proceed?

This is a big change, so it obviously wouldn't happen overnight, but I think for the long-term safety of users (both app that use Devise, and the customers of said apps), decoupling passwords out of Devise and replacing them with passkeys is essential.

I think the roadmap for this would be:

1. soft-decouple passwords out of Devise, replacing it with a generic term like "credential"
2. Making the credential method Devise uses configurable, defaulting to :password
3. Adding passkey support
4. Eventually, making new installations default to using :passkey

Again, getting some guidance on what makes the most sense for Devise would be a huge help. This is a project I believe in, since it raises for floor for everyone, and am happy to help out however I can.

[tcannonfodder]

I've started a fork here: https://github.com/tcannonfodder/devise ; and will start working on PRs to begin the process. I'd definitely appreciate any help from contributors who also want to see this happen

[evolve2k]

Thanks for doing this work.

[collimarco]

Any updates on this?

[tcannonfodder]

Hoping to get back on this soon! Work’s been busy, plus not having any guidance from the maintainers is…demoralizing

[rmaspero]

This is the kind of project I would actually be happy to put money behind to facilitate the upgrade. We use devise in a load of projects and official support for things like passkey and 2FA would be a dream.

[collimarco]

official support for things like passkey and 2FA would be a dream

@rmaspero Yes, that would be great. For 2FA you can use this gem: https://github.com/tinfoil/devise-two-factor

[tcannonfodder]

For those following the progress: I did another batch of renaming existing models & classes to prefix the appropriate ones with Password: tcannonfodder#6

Next up will be working on underlying data models for passkeys

[carlosantoniodasilva]

@tcannonfodder first, my apologies for not getting back here earlier. I've been super behind on all OSS-related things, trying to do some catch up work here again this year.

Second, appreciate the write up and initial work on the passkey support / feature. I can definitely see a future where Devise works out of the box with passkeys, even though I'm not yet super familiar with how they work. (admittedly, that's one area I need to catch up a bit on as well)

I am slightly afraid of renaming all.the.things though, and breaking lots of apps and libraries out there that rely on the current naming & structure of things, for example controllers can be inherited from, etc., so it needs some careful consideration on any renaming. I do have plans to release some breaking changes and major versions in the near future, but maybe one thing at a time. 😅

For now though, I have some other priorities to get through here, initially getting Devise + Turbo working fully out of the box, and then going from there. In the meantime, have you done any passkeys integration with Devise as-is? I'd like to look at (and perhaps, even implement some) integration code myself, before having a better idea of what changes would be necessary to have something like this better baked into devise itself. But like I said, I think it's definitely something that Devise could support entirely in the future.

---

@rmaspero @collimarco I've had the need to review an OTP/2FA implementation somewhat recently, and have been considering a more official devise + 2fa basic integration, nothing concrete, don't want to overpromise anything yet, but maybe expect to hear more on that in the near future.

[collimarco]

@carlosantoniodasilva Thanks for the great news. For 2FA maybe you could consider a merge of this project into Devise: https://github.com/tinfoil/devise-two-factor It works very well, and it would be nice to have compatibility in the future. The only part that is missing are the views, which maybe Devise could provide.

[tcannonfodder]

An important note about passkeys and OTP/2FA is that passkeys supersede 2-factor authentication methods; because it's baked into the passkey protocol (as mentioned in the documentation as part of the "Passkeys replace multi-factor authentication flows (or alternatively: passkeys use MFA by default)" section).

If there's a roadmap to have Devise support passkeys out of the box, which would involve a migration by apps & libraries, I think the best course of action is should go directly to passkeys rather than implementing OTP/2FA. The reasons behind that thinking are:

1. It increases the size of devise's codebase, adding an extra featureset that needs to be maintained for a process that's a patch for the inherent insecurity of passwords
2. Since passkeys replace both password + second factor authentication, if we're upgrading Devise for the next generation of authentication, we don't need to bake OTP/2FA (since it's been replaced)
3. There are existing libraries to support password + second factor authentication, which can be used in cases where an app/library cannot currently migrate to passkeys for external reasons (which are increasingly becoming less relevant with the propagation of evergreen browsers, mobile devices as roaming authenticators, and security keys)
4. It muddies the water on the difference between passwords + 2FA and passkeys, causing confusion and potentially guiding an app/library to forgo passkeys (which would be a security loss for both the user & the app/library)

Note: Updating the original list of documentation with an FAQ from the FIDO alliance

[tcannonfodder]

@tcannonfodder first, my apologies for not getting back here earlier. I've been super behind on all OSS-related things, trying to do some catch up work here again this year.

No worries at all, I get it! OSS work is difficult, and takes a lot of time/energy (hence why I also had to take a break) Thanks for getting back to me.

Second, appreciate the write up and initial work on the passkey support / feature. I can definitely see a future where Devise works out of the box with passkeys, even though I'm not yet super familiar with how they work. (admittedly, that's one area I need to catch up a bit on as well)

It's an exciting new feature, I love talking about it! Some helpful links to orient yourself (pulling from the original issue & some of my own research):

• https://fidoalliance.org/passkeys/#faq
• https://passkeys.dev
• https://developer.apple.com/passkeys/
• Demo site: https://webauthn.io

I am slightly afraid of renaming all.the.things though, and breaking lots of apps and libraries out there that rely on the current naming & structure of things, for example controllers can be inherited from, etc., so it needs some careful consideration on any renaming. I do have plans to release some breaking changes and major versions in the near future, but maybe one thing at a time. 😅

Yeah, it's a big breaking change. That's why ideally there would be a lot of communication, multiple point-releases where things are marked for deprecation, and a clear & concise upgrade guide. Happy to help out with all of that as well, to ensure a smooth migration.

Unfortunately, I don't really see a way around it. Decoupling passwords out of Devise's core concepts such as authentication, registration, and sanitization is a crucial first step in supporting passkeys. That makes it clear where the separation of concerns lies between:

• Devise as a session management/authentication manager/account recovery director
• Devise's password authentication/recovery tooling
• Devise's passkey authentication/recovery tooling

Since it's already going to require changes from apps/libraries, I think it's better to make Devise as explicit as possible with the separation of concerns, and smooth the migration process with all the ideas mentioned above.

For now though, I have some other priorities to get through here, initially getting Devise + Turbo working fully out of the box, and then going from there. In the meantime, have you done any passkeys integration with Devise as-is? I'd like to look at (and perhaps, even implement some) integration code myself, before having a better idea of what changes would be necessary to have something like this better baked into devise itself. But like I said, I think it's definitely something that Devise could support entirely in the future.

Totally understand, that's important! I don't currently have any passkey integration with Devise as-is. I have implemented a passkeys authentication layer in non-Devise authentication systems, which is what lit the fire in me over getting Devise upgraded to passkeys (so we can all benefit from passkeys!)

Now that I have the first 2 parts of renaming to decouple passwords from Devise, I can start work on the passkeys data models & implementation. Once I start with that, I can make a demo Rails app using the fork, and link to it here; so we can review and refine it! :)

[collimarco]

@tcannonfodder I don't see Passkeys as a replacement for Authenticator apps in the immediate future, I see them as something complementary that can coexist:

1. Most applications that I use have support for 2FA, but not yet for Passkeys, which is a very recent technology with possibly many unknown challenges. Having said that, I agree that Passkeys are really interesting and probably the future
2. Passkeys can be used for 2FA. Ideally the user can choose between a 2FA using an Authenticator app or using Passkeys. Heroku does this: https://devcenter.heroku.com/articles/built-in-authenticators#mfa-verification-with-a-built-in-authenticator Basically the Passkeys are the second factor, but don't replace the password.