WebAuthN is a W3C standard that is intended to enable the authentication of users without passwords. The whole thing is done through the public key procedure and the use of various factors (e.g. hardware key, fingerprint/TouchID, etc). WebAuthN was developed by the FIDO Alliance.This alliance includes Google, Amazon, Microsoft, RSA and other companies.
The goal of this extension is to make WebAuthN more widely available. This extension implements WebAuthN completely into the WSC. Users who have activated WebAuthN do not need to enter their password anywhere in the WSC and can authenticate themselves anywhere using their security key (login, ACP login, etc.)..
- Complete implementation of WebAuthN in the WSC
- WebAuthN can already be activated during registration
- Login in frontend and backend (ACP) via WebAuthN
- the addition of several security keys is possible (e.g. 2 YubiKeys or one YubiKey and TouchID, etc.)
- Administrators can remove security keys in ACP
Technically, WebAuthN is very secure due to the public key procedure. Even remotely (taken over PC, etc.) users cannot log in with an account if it is protected via WebAuthN.
However, WebAuthN also has disadvantages. For example, if the security key is physically stolen, the thief could theoretically access the accounts. Therefore, WebAuthN is only as secure as the user takes care of his security key.
I lost my security key and now what?
Usually your account will be lost. However, the administrators of the relevant site may come to your assistance and remove the security keys manually in ACP. However, every administrator should be aware that most accounts are/have been taken over due to social hacking.
Supported browsers and security keys
In principle, most common browsers support WebAuthN. However, some browsers only support hardware keys, others also support TouchID/fingerprint, etc.
- Edge (from version 18)
- Firefox (from version 60)
- Chrome (from version 67)
- Safari für macOS (from version 12.1)
- Opera (from version 54)
- Android Browser (from version 67)
- Chrome für Android (from version 75)
- FireFox für Android (from version 67)
- Brave für iOS (from version 1.11.3)
Source for browser support: https://caniuse.com/#search=webauthn
As a security key that supports WebAuthN, the YubiKey is currently the most widely used. Certainly, there are several other security keys with which WebAuthN already works. In this case, it is recommended that you do your own research, as the list is constantly changing.
This extension is fully compatible with WoltLab Suite Core 3.1 and 5.2. A compatibility for 3.0 has not been established yet and is currently not planned. If the interest for 3.0 is big enough, I will think about it.
Various third-party libraries were used for the implementation. These are listed below.
What happens after the purchase?
Create a user account on hanashi.dev. In your settings, go to Activate purchases. And enter your API information from the API Access page. Now click Submit. You have now activated access to the support forum.
- 256.79 kB
- 2 Downloads
FIX: Update ability of 1.1.0 pl 1 was missing
- 256.78 kB
- 3 Downloads
- FIX: Fixed error message when key cannot be decoded
- CHANGE: the key was erroneously always named with the e-mail and not with the key name
Version 1.1.0 pl 1
- 256.86 kB
- 7 Downloads
- 256.85 kB
- 2 Downloads
- FIX: Language variable fixed
- FIX: incorrect verification of the domain
- FIX: Error in the registration fixed
- FIX: Login in maintenance mode possible again
- FIX: security bug
- CHANGE: Code optimizations
- CHANGE: Branding removed
- CHANGE: Conversion of the WebAuthN Workflow
- FEATURE: Compatibility with WebAuthN via FaceID/TouchID (requirement: macOS 11/iOS 14/iPadOS 14)