Feature summary (what you would like to be able to do and where):
Passkeys (also known as multi-device FIDO credentials) should be offered as a first resort instead of passwords (and accompanying multi-factor authentication schemes), and accounts with passwords should be capable of transitioning to use passkeys exclusively.
Passkeys are currently supported as a multi-factor authentication method through Extension:WebAuthn.
Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):
Any authentication flow that includes a password should instead favor passkeys as a first resort: if an account has both, it should ask for a passkey by default. New accounts should be encouraged to avoid creating passwords in the first place in favor of passkeys.
Multi-factor authentication systems, if present, should only be used alongside passwords: passkeys are phishing-resistant due their design, so TOTP codes and similar systems are redundant.
Benefits (why should this be implemented?):
Passwords are notoriously insecure, and systems like TOTP are still vulnerable to phishing attacks while adding considerable complexity to login flows. Major websites like Wikipedia have yet to implement multi-factor at large, still relying on passwords as the first and last line of defense. I feel it would be valuable for MediaWiki to set a good example for the Internet ecosystem as a whole by adopting passkeys as soon as possible.
Passkeys don't rely on a shared secret of any kind, which massively improves the security of servers: they are much easier to implement than other authentication schemes as a result.
Numerous projects use MediaWiki, and all of them would gain considerable security benefits and a better user experience from adopting passkeys. All major OS and browser vendors have committed to their support, and they are already implemented in macOS and iOS. By the time MediaWiki finishes implementing it, it is likely to be supported on the other major platforms as well.
Implementation:
I (TheDJ) was trying to find how the UX flow should work for a login screen when you have:
- Users with passwords
- Users with passkey known to the system (say Apple's touchID+keychain)
- Users with hardware passkey (say a Yubico key)
- Users with 2FA
And I found this explainer, which I think is pretty helpful if anyone ever wanted to work on this.
https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI