Web Authentication API

friedger · June 19, 2018, 8:29am

In the Spec (https://w3c.github.io/webauthn) it says:

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.

In the chat engineers commented that this would be a good fit. What is needed to make this API work for blockstack? Can Blockstack become a relying party?

The spec should be adjusted to clarify that it can also work without a server.

friedger · November 13, 2018, 9:35am

I explored the possibilities how to get rid of the password during onboarding but that does not really work as the password is used for encryption. The Web Authentication API does not allow for encryption, just authentication.

Until browsers implement transport layers like blockstack:protocol (in addition to the current NFC, USB, …) or until we have a web API to sign transactions there is little we can do here.

MichaelFedora · November 13, 2018, 5:59pm

I don’t have time to read up on the technical details of webauthn, but you could technically have the browser catch requests to browser.blockstack.org/webauthn?my&params=here and redirect with things. It is feasible, just not fun to implement

friedger · November 14, 2018, 9:36pm

@MichaelFedora Not sure I understand your comment.

Webauthn let you signin to websites without password by signing a challenge (from the server/app that the user want to sign in). The browser has an API for that and the app developer can make use of it (progressively).

However, I don’t see how this fit into the flow of the blockstack browser on-boarding (where the user needs to give a password)

MichaelFedora · November 15, 2018, 7:56pm

Are you talking about people authenticating into the Blockstack Browser or people authing with the Blockstack Browser for generic webauthn apps?

I was assuming the latter, and from what you stated here it still seems like it would work.

In addition, the blockstack browser only needs the password for encrypting the private key. It’s never used anywhere else. If the browser wanted to supply a different private key to encrypt it with, that works too… shrug.

If none of this makes sense then I digress as honestly I should read into it before commenting next time =)

friedger · November 16, 2018, 8:39am

@MichaelFedora I was referring to the further. I wanted to make the auth into Blockstack Browser easier. But probably, I confused both as well.

For webauthn to work with the blockstack browser the user agent/web browser needs to support blockstack as the so-called transport layer: The app developer calls something like navigator.credentials.create in the web app and then the user agent tries to find means to create these credentials. Currently, the user agent supports these credential creations through USB, NFC or BLE, an not (yet?) through Blockstack or DIDs in general.