developers.yubico.com icon indicating copy to clipboard operation
developers.yubico.com copied to clipboard
verified publisher icon Yubico

"Passwordless" Demo is misleading

Open Aptimex opened this issue 5 years ago • 0 comments

Demo.yubico.com allows you to register a hardware security key (using WebAuthn) as either a second factor (default), or using a resident credential for logging in without needing a password OR username. But the second option (when selecting "Add Security Key) is described by a checkbox that says "Enable passwordless login with this key."

This is misleading because "passwordless" WebAuthn usually refers to using the exact same (non-resident) WebAuthn protocol as MFA registration, but the security key completely replaces the password (and instead requires local user verification, i.e. PIN). The "passwordless" option on the demo site would more accurately be described as "usernameless." The website should be changed to reflect that difference, and perhaps a third more accurate "passwordless" option implemented. It would also be good to specify there that the "usernameless" option will take up limited space on the security key, unlike the other two options.

Good example of another site that correctly demonstrates this difference here (no affiliation): https://www.passwordless.dev/passwordless

Aptimex avatar Feb 06 '21 01:02 Aptimex