Page MenuHomePhabricator
Create Task
Maniphest T321708

MediaWiki should support passwordless login with passkeys
Open, Needs TriagePublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):

Passkeys (also known as multi-device FIDO credentials) should be offered as a first resort instead of passwords (and accompanying multi-factor authentication schemes), and accounts with passwords should be capable of transitioning to use passkeys exclusively.

Passkeys are currently supported as a multi-factor authentication method through Extension:WebAuthn.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

Any authentication flow that includes a password should instead favor passkeys as a first resort: if an account has both, it should ask for a passkey by default. New accounts should be encouraged to avoid creating passwords in the first place in favor of passkeys.

Multi-factor authentication systems, if present, should only be used alongside passwords: passkeys are phishing-resistant due their design, so TOTP codes and similar systems are redundant.

Benefits (why should this be implemented?):

Passwords are notoriously insecure, and systems like TOTP are still vulnerable to phishing attacks while adding considerable complexity to login flows. Major websites like Wikipedia have yet to implement multi-factor at large, still relying on passwords as the first and last line of defense. I feel it would be valuable for MediaWiki to set a good example for the Internet ecosystem as a whole by adopting passkeys as soon as possible.

Passkeys don't rely on a shared secret of any kind, which massively improves the security of servers: they are much easier to implement than other authentication schemes as a result.

Numerous projects use MediaWiki, and all of them would gain considerable security benefits and a better user experience from adopting passkeys. All major OS and browser vendors have committed to their support, and they are already implemented in macOS and iOS. By the time MediaWiki finishes implementing it, it is likely to be supported on the other major platforms as well.

Implementation:
I (TheDJ) was trying to find how the UX flow should work for a login screen when you have:

  1. Users with passwords
  2. Users with passkey known to the system (say Apple's touchID+keychain)
  3. Users with hardware passkey (say a Yubico key)
  4. Users with 2FA

And I found this explainer, which I think is pretty helpful if anyone ever wanted to work on this.
https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI

Related Objects

Event Timeline

Saklad5 created this task.Oct 26 2022, 3:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 26 2022, 3:49 PM
Aklapper renamed this task from MediaWiki does not support passkeys. to MediaWiki should support passkeys.Oct 26 2022, 4:03 PM
Aklapper removed a project: Authentication-Experiments-2022.
Izno subscribed.Oct 26 2022, 5:44 PM

Major websites like Wikipedia have yet to implement multi-factor at all

This is not a true statement. See Help:2FA. There are criticisms of the 2FA system on Wikipedia, but "doesn't exist" is not one of them. :)

Saklad5 added a comment.EditedOct 26 2022, 5:51 PM
In T321708#8346831, @Izno wrote:

Major websites like Wikipedia have yet to implement multi-factor at all

This is not a true statement. See Help:2FA. There are criticisms of the 2FA system on Wikipedia, but "doesn't exist" is not one of them. :)

My mistake: I remember checking and not finding one, a while back.

Actually, looking at that document, it mentions support for WebAuthn: that is actually the same standard as passkeys, so if you have support for that you're most of the way there! The main difference is that passkeys don't have to be hardware-bound, which is the source of the recovery issue that page notes.

A few tweaks to how WebAuthn fits in, of which the most important is making it available as the sole and default method of authentication rather than a mere second factor, and MediaWiki will have perfect support.

Saklad5 updated the task description. (Show Details)Oct 26 2022, 6:09 PM
Base subscribed.Oct 27 2022, 12:20 AM
Saklad5 added a comment.Oct 30 2022, 3:07 PM

OK, I've tested WebAuthn 2FA with Wikipedia, and found an unusual issue: I can successfully create and use a passkey on macOS 13.0 and Safari 16.1. However, when attempting to use it to login on iOS 16.1 and Safari 16.1, Wikipedia's login flow doesn't seem to prompt for a passkey at all.

Instead, it simply says "Please touch your verification device or follow the instructions from the browser". It has a single button, "Continue login", which causes the verification process to fail when pressed. My iPhone definitely has the WebAuthn/passkey credential I registered on my Mac: it just isn't getting asked for it like the latter is.

Is it possible that there is some sort of mobile-specific bug with the WebAuthn implementation?

alistair3149 subscribed.Nov 22 2022, 6:33 AM
alistair3149 awarded a token.Nov 22 2022, 6:41 AM
alistair3149 added projects: MediaWiki-User-login-and-signup, MediaWiki-extensions-OATHAuth.Dec 12 2022, 9:09 PM
alistair3149 added a comment.Dec 12 2022, 9:11 PM
In T321708#8355310, @Saklad5 wrote:

OK, I've tested WebAuthn 2FA with Wikipedia, and found an unusual issue: I can successfully create and use a passkey on macOS 13.0 and Safari 16.1. However, when attempting to use it to login on iOS 16.1 and Safari 16.1, Wikipedia's login flow doesn't seem to prompt for a passkey at all.

Instead, it simply says "Please touch your verification device or follow the instructions from the browser". It has a single button, "Continue login", which causes the verification process to fail when pressed. My iPhone definitely has the WebAuthn/passkey credential I registered on my Mac: it just isn't getting asked for it like the latter is.

Is it possible that there is some sort of mobile-specific bug with the WebAuthn implementation?

The mobile bug seems to be T286138.

Just to confirm, Passkey as 2FA works fine on desktop right?

Saklad5 added a comment.EditedDec 12 2022, 9:27 PM
In T321708#8461868, @alistair3149 wrote:

Just to confirm, Passkey as 2FA works fine on desktop right?

It did in October, yes.

I switched my account to TOTP upon encountering the issue. Let me know if you want me to switch it back temporarily to see if it still works.

As far as I know, all versions of Safari share the same functional implementation. My best guess is that MediaWiki is violating the specification somewhere, and it only works on macOS due to undefined behavior.

alistair3149 added a comment.Dec 15 2022, 7:44 AM
In T321708#8461912, @Saklad5 wrote:
In T321708#8461868, @alistair3149 wrote:

Just to confirm, Passkey as 2FA works fine on desktop right?

It did in October, yes.

I switched my account to TOTP upon encountering the issue. Let me know if you want me to switch it back temporarily to see if it still works.

As far as I know, all versions of Safari share the same functional implementation. My best guess is that MediaWiki is violating the specification somewhere, and it only works on macOS due to undefined behavior.

The mobile bug should be fixed with T286138, and it'll be deployed on WMF wiki early next year.

Tgr subscribed.Dec 21 2022, 10:49 PM
Epopen subscribed.Feb 8 2023, 2:58 AM
saper subscribed.Feb 12 2023, 2:34 PM
TheDJ updated the task description. (Show Details)Feb 17 2023, 1:10 PM
Agusbou2015 subscribed.Mar 25 2023, 7:01 PM
alistair3149 renamed this task from MediaWiki should support passkeys to MediaWiki should support passwordless login with passkeys.Jun 13 2023, 2:53 AM
alistair3149 updated the task description. (Show Details)
Jdlrobson moved this task from Backlog to Workflow on the MediaWiki-User-login-and-signup board.Jul 13 2023, 4:03 PM
Lemonaka subscribed.Sep 6 2023, 10:26 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptSep 6 2023, 10:26 PM
larissagaulia moved this task from Inbox, needs triage to Backlog: non-prioritized on the MediaWiki-Platform-Team board.Sep 18 2023, 1:25 PM
Tgr added a comment.Sep 28 2023, 10:48 AM

Passkeys are origin-bound so this is blocked on T244088: Logging in at another wiki than WebAuth was set up fails.

Passkeys as a second factor are a clear security improvement over TOTP (which is not origin-bound, so phishable) and a usability improvement over U2F as you don't need an extra piece of hardware. Passwords as primary authentication, not so sure. Easy to get yourself locked out when you lose your phone (for 2FA we'd do a human review and remove the second factor; for lost primary credentials, what would we do?), passkeys are device-bound so you'd need some sort of cross-device attestation process, and you essentially transfer security to the device managing the passkey (phones with fingerprint sensors are probably OK; but e.g. Windows Hello uses a 6-digit PIN which is hardly safer than a password).

Stang subscribed.Sep 28 2023, 4:21 PM
Seddon merged a task: T348766: Feature request for Passkey Support in Login System.Oct 17 2023, 4:56 PM
Seddon added subscribers: ARamadan-WMF, Dmantena.
Nikerabbit subscribed.Oct 18 2023, 4:27 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Nov 30 2023, 5:56 PM
Reedy moved this task from User Experience to New 2FA Methods on the MediaWiki-extensions-OATHAuth board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL