Articles
Why WebAuthn and Passkeys?

Why WebAuthn and Passkeys?

It's a little confusing because "WebAuthn" is the technical name, "Authn" is a shortening of "Authentication" because nobody wants to type long words any more (even though spicy autocomplete can do it for us now...?) and "Passkey" is the more "branded" and general term when displaying to users and customers. The terms technically aren't interchangeable, but for the sake of the user's experience and simplicity, they can be considered the same thing.

I won't go into the details of what it actually is. You can learn about that in this fantastic blog post by Neal Fennimore (opens in a new tab). There are also some more technical articles that go into the details such as the W3 spec (opens in a new tab) and a web.dev article (opens in a new tab).

How and why Storyden uses Passkeys

Storyden supports Passkeys as a fundamental authentication method. This means that you can use a Passkey to register and sign in to a Storyden site. This is a great way to keep your account secure and to make sure that you don't have to remember a password for every site you use.

Email + Password is not the default any more

Storyden's authentication model does not simply have an "email" and "password" column in its data model. Storyden is a platform for the next era of the web, so it would be foolish to fall into old ways, especially for authentication. Passwords can be enabled, but they are not assumed to be the default. You can operate a Storyden instance and completely disable passwords if you want.

Similarly, email is not considered a default either. The world is changing and people are much more conscious of privacy, security and technical monopolies on data. You may not want to sprinkle your email address all over the net. While there have been efforts by Apple, Mozilla, and others to create 'fake' email addresses that forward to your real one, if you don't need someone's email, then why even require it? This is why Storyden operates on a username-first model, email is optional for transactional or newsletter purposes, but it's not a default.

As an operator of a Storyden community, you have the choice to use email + password as the login method for your members, but you also have the choice to allow full anonymity with a username + passkey combination.

The benefits of Passkeys

Passkeys are great in certain circumstances. They're not a silver bullet, but with growing support on devices, browsers and operating systems, they're becoming more and more viable as a default authentication method.

Privacy

The privacy implications are great, for users and administrators alike. By eliminating the need for passwords, it mitigates the risks associated with traditional authentication methods, such as phishing, brute force attacks, and password reuse. Which isn't just great for users, but also for operators and administrators because it reduces the responsibilities and risks associated with storing and managing passwords.

Because it utilizes public key cryptography to provide a secure and (almost) seamless way for users to access their accounts. This not only safeguards sensitive user data but also reduces the likelihood of unauthorized access to accounts - especially admin accounts!

User-Friendly Experience

In addition to bolstering security, WebAuth offers a user-friendly experience - assuming you're on a compatible dev ice. With no passwords to remember, users can enjoy a hassle-free login process. This not only streamlines access to Storyden but also eliminates the need for password resets and the associated frustrations.

It's not all perfect though, I'll get into why that is in the next section.

The downsides of Passkeys

Passkeys are great, but they're not perfect. There are some downsides to using them, and it's important to be aware of them before you decide to use them as a default authentication method.

Dealing with multiple devices

All services on which I've recently enabled a Passkey have treated them as a form of 2FA rather than your primary login method. This isn't just because of support, but also difficulties with being locked out of your account. The spec does not define a way to recover accounts or synchronise keys. This is left up to vendors such as Apple, Microsoft and Google.

So, if you're locked in to enjoying the Apple ecosystem on all your devices, you're pretty much covered as iCloud's keychain will synchronise an end to end encrypted backup of your keys between your devices. This means I can sign up to a Storyden instance on my Macbook, then log in to that same account on my iPhone without having to do anything. It's pretty great.

Outside of the (walled) garden of eden though, it gets a bit tricky. Windows Hello supports keys, but the device sync is not clear if you have an Android or iPhone, you'll need to do some extra work to get that set up. Not everyone will know that's even a requirement, which introduces a risk of having your key only on one device without knowing how to transfer it. If you lose or factory-reset that device, you're kinda screwed.

Password managers to the rescue?

1Password and other password managers offer a pretty nice experience for this, but it's far from a widely adopted, and if you're already using a password manager, the benefits aren't immediately clear as a user.

I'm a tech nerd so I'm clued in on this stuff but that's a minority, not many folks I know outside of tech use password managers, so Passkeys could risk being locked out.

Domain changes require careful planning

Passkeys are tightly coupled to the domain name of the service. Partly to piggyback on the security of HTTPS and related domain verification, but the downside of this is that changing domains will not be so simple.

As an administrator of a platform, you may want to change domains (or need to) and currently, this process is not well defined. You need to do a bunch of work to prepare users for this change, and then those users also need to action that change on their devices. It's no secret that people rarely read product updates so communicating this is a challenge.

How Storyden treats Passkeys

Passkeys are great, but not a silver bullet. Storyden also doesn't want to enforce a password because ultimately, that's up to operators to decide. So, Storyden treats each authentication method equally and recommends that users set up at least two methods of authentication. These can be anything:

  • a Passkey + a Web3 wallet
  • a password + a Google login
  • a Phone number and a Passkey

In conclusion

Operators can enable whichever authentication methods they want, depending on their community's values and goals. If you want to go fully decentralised, you can use Passkeys and a Web3 wallet. If you don't mind using centralised services, an OAuth2 provider such as Google and Passkeys are fine, and if you want to support traditional email + password, you can do that too.

Get started with Storyden today and build a secure and privacy friendly community ready for the next era of the social web.

The power of a community-driven knowledgebaseThe architecture of modern forum software