Administrivia: Passkeys/WebAuthn/FIDO keys

[loftar]

Since there was some talk about 2-factor authentication back in August, I just thought I'd make an announcement that the website since a wee while back supports WebAuthn (also known as Passkeys, or FIDO authentication). If you try to register an account or log in, you can leave the password field empty to use a WebAuthn authenticator instead of a password, and you can also go to the Account Security page to register WebAuthn authenticators with already existing accounts.

For those unaware, WebAuthn is an open standard for second-factor authenticators, where the second factors can take several forms. For example:

• There are hardware USB keys from multiple vendors.
• Windows has built-in WebAuthn support as long as you configure Windows Hello.
• Most mobile phone browsers support WebAuthn with the phone's biometric sensors, and
• If you run a recent enough version of the mobile operating systems, you can also use the phone as an authenticator for a desktop computer through a QR code (the browser will generate said QR code), kind of as if it were a wireless USB key.
• I know there's also the intention that ordinary password managers should support being WebAuthn authenticators, but I'm not sure if the browsers have added the required APIs for that yet, since non-hardware-based WebAuthn is still a somewhat recent development and is still evolving.
• Again, it's an open standard, so there may also be other implementations out there that I'm not even aware of.

There are a couple of advantages to using WebAuthn over ordinary passwords, for example:

• To begin with, and most obviously, if you choose an appropriate authenticator, it is 2FA. Even a passphrase-protected software implementation like Windows Hello with PIN still counts as 2FA, since you need not only the passphrase, but also the actual computer that the FIDO key is stored on. Since Windows Hello also runs outside of the browser, it makes it more robust against potential attacks that might use exploits in the web browser itself.
• Since you effectively register one key per authenticator, if you have a system that is lost/stolen/exploited/whatever, you can simply log in elsewhere and remove its key, without having to change the whole account password.
• WebAuthn uses asymmetric encryption for its authentication, so there's no sensitive data stored server-side which could be exploited in case of a data leak.
• Even if you keep a password on your account, using WebAuthn for the most part still means that you're never exposing that password to potential infected browsers or other MITM attacks.

The Haven website doesn't yet support completely removing your password, but if you effectively want to do that, you can just use a ridiculously long random-generated password and just forget about it. Another recommendation might be to choose a password that is longer and more complex than what you'd normally use for convenience reasons, and be okay with that since you can use a more convenient WebAuthn authenticator in the common case.

Keep in mind, also, that account recovery through your e-mail account will keep on being possible, so your account won't be more secure than your e-mail account is. Not saying that's not secure enough, but it might be something to be mindful of.

[Ardennesss]

TL;DR

[noindyfikator]

First you login with password then you provide code from authenticator app. That's how it should work.

If I understand it correctly you want to replace password with code. First time I see such approach and imo it's bad

[loftar]

First you login with password then you provide code from authenticator app. That's how it should work.

If I understand it correctly you want to replace password with code. First time I see such approach and imo it's bad

The idea is that the procedure, and level of security, is up to the implementation, and that an implementation can use however many factors you want it to. Half of the idea is to get rid of the service (the Haven website, in this case) needing to know your password at all, which I think is safe to say is a strictly positive thing, security-wise. TOTP also has its own fair share of security problems, primarily it not being phishing-resistant, and also both the client and server needing to share an unhashed and otherwise unobfuscated secret. From the cryptography that I know, WebAuthn is strictly better than both, even taken together.

TL;DR

Go to Account Security to register any FIDO authenticator you might have, then use it to log in instead of using your password.

[vatas]

Loftar, did you ever implement that thing where you could generate and share a token that lets you log into characters but not use any other account functions?

There's some questions about this like do you blanket remove the ability to transfer hats if you log in this way, or make it toggle? That would be the main reason why you would be interested not losing the account because the person you shared with turned out to be not so trustworthy (other than the $15 verification fee and any remaining subscription time.)

Also the issue of not wanting to send a message that account sharing is endorsed, I guess.

(sorry if I'm OutOfTheLoop)

[loftar]

Loftar, did you ever implement that thing where you could generate and share a token that lets you log into characters but not use any other account functions?

No, and I'm still not sure I will. I'm not sure I won't either, though, it's just not something that I think about every day.

[Massa]

what