Once upon a time, in a server far, far away, there was a person using a computer. When he went to the bathroom, someone gained access and edited something in that computer just because he could. That access was behind a simple 4-pin password that protected the whole system access. Nobody knew until it was too late.

Not only the user in charge of that computer account was falsely accused, he didn’t do anything wrong and couldn’t have known, but also there was no way to pinpoint the real culprit. That was nothing when we realized we couldn’t prevent the same problem from effectively happening again, in any other terminal. The authentication flow was deep inside the system and we couldn’t just plug out it.

Since I’m re-doing that internal application from scratch, this event was brought up when talking about who would have permissions to use it. Passwords can be eavesdropped, shared, and written on paper. A short solution was to have mandatory 16 characters with weird codes and numbers that would be cycled automatically each month, but I replied:

That only takes the problem out of the terminal into the user, and the password will not only be written, but kept at hand, which is what we’re trying to avoid. Passwords are not the Devil, but in these circumstances, they are indeed.

2FA authenticators are a nuance because you also need the password beforehand (that’s why is called 2FA in the first place), and requiring to push a code every time with your phone or other authenticator makes it a little more secure but a little more cumbersome.

I had to investigate another method that didn’t burden the user but also the system itself. Something easier than checking an email each time you wanted to log in, or having a custom key-generator device going around in someone’s neck.

I could imagine someone signing in with his own device, like his smartphone or an USB Key, instead of asking for passwords, in any terminal. The same behaviour that native Android and iOS apps have but in your site, without having to code a custom app from scratch.

And that’s where WebAuthn comes in.

#laravel #php #programming #webauthn

Login Users with Their Fingerprints using Laravel
10.10 GEEK