I'm confused how this works. I tried the demo and Bitwarden asked me if I wanted to save the passkey. From a UX experience, this felt weird.. Why do I need to create an account, and save that account? Why is passkey storage prevent bots? Just that bots haven't added that automation yet?

Passkey can be thought of as software emulation of a smartcard (aka hard token aka Yubikey). When it asks you to save it, that's when it creates the virtual smartcard in some reasonably secure local storage (possibly TPM-secured or at least kernel-secured).

The benefit of this approach is that a bot doesn't have the private key.

Of course you want to be sure that webauthn on boarding can't be botted.

I'm still confused... Why can't headless Chrome with Bitwarden easily by-pass this? What private key?

Totally agree with this - when it popped up asking me if I wanted to use my fingerprint to do ..._something_... I felt like I was at risk and noped out.

What part of webauthn can a computer not do?

I understand if you say bots are currently not programmed to, but is that why this will temporarily work or is there something more fundamental?

Yeah, the notably missing part in README is "how this works".

What I'm scared of is some sort of cryptography becoming the death of the open web. Baking keys into your hardware and doing remote attestation. It doesn't tie you to a real-world identity except that you're locked into using an unrooted (DRM'd) device for using online services like a normal person

If I had to choose between two evils, I'd rather upload my passport to cloudflare and be able to get anonymous tokens from their API (RSA blind signatures or whatever) to prove I'm a real person and browse the web with Firefox and no closed source components, than be forced into hardware attestation and a locked-down device. But uploading government IDs to a (few) central point(s) of trust will create outcry about privacy whereas hidden cryptography baked into normal people's devices with Google Play Services and Apple Something and just working in the background goes unnoticed until everyone (the 99% who aren't on a custom ROM) already experienced the benefits

For webauthn I know it can be all software, I've used virtual devices for testing a server implementation's security, but I vaguely remember there also being a mode that requires having keys signed by a hardware vendor. Just not sure anymore if that was webauthn or something else related to authentication

Apple has already shipped remote attestation with Safari and Cloudflare has been working to standardise their test release of this scheme as a web standard. It's only a matter of time before remote attestation starts replacing CAPTCHA thanks to the advances in AI.

The worst part will probably be that any hardware backed attestation mechanism will need to blacklist entire ranges of devices once scrapers and other bots find a mechanism to mass produce attestation results, the same way a dumped key from a bluray player carries the risk of killing all future bluray player functionality from devices with that model.

WebAuthn is pretty useless for this purpose as far as my understanding of it goes (as you can pretty much emulate all of it, except if the website has a hardware whitelist that'll eventually block a lot of legitimate users as well). It's harder to bypass remote attestation mechanisms, though, as they're actually meant to provide security against bots.

> If I had to choose between two evils, I'd rather upload my passport to cloudflare and be able to get anonymous tokens from their API (RSA blind signatures or whatever) to prove I'm a real person and browse the web with Firefox and no closed source components, than be forced into hardware attestation and a locked-down device.

I don't want to do either. Not interested in Altman's eyeball crap either.

Bot prevention is not my problem as a user anyway. In fact in many cases scraping is very useful to me and could be used to have AI agents monitoring a website and informing me when something changes. Like a price drop.

I mean, yeah, obviously nobody wants either, but

> Bot prevention is not my problem as a user anyway

It isn't until it is. Today already one needs to

- "hold this button for 5 seconds to access this website" (and if you let go in between it offers the same captcha but will deny access until you reload the page and do what they ask), e.g. phys.org article I accessed iirc from HN

- Select all mountains or whatever, many forms on many many websites

- Rotate this puzzle piece until it fits (Chinese video website where someone linked to from YouTube because the randomly selected Chinese recipient of a gift posted their reaction there)

- Add up the dice from these 15 pictures and select the matching die (github registration)

- "Your IP address doesn't have access. Request ID 929cjn289w." various websites

- "Something went wrong" -> open the developer tools -> server says IP address blocked. Retry with a different user agent string succeeds. (German eBay)

- Can access something from popular browsers but not then grab it with curl because they block that user agent (I needed this because my Android "download manager" was broken. Why the browser can't download it by itself like on any other OS, I don't know, but so I need to do downloads with wget/curl/whatever and this is very often blocked by user agent string)

- Verify your phone number to prove you're not a bot (Microsoft, Google, German eBay, Telegram, you name it)

But it's not your issue as a user! :P

More seriously, this is why I'm bringing this up now before the choice is already made, things magically work for the 99% using crypto solutions like proposed in the submission and the freedom to run free software is even more impaired than it already is today (ask anyone who runs a custom ROM or something as heinous as rooted their device but would still like to use payments or get updates for their device like a normal person)

This is neither a new idea or a good one. Cloudflare did a PR launch of pretty much the same thing a few years back, and that you haven't actually seen it in the wild probably tells you all you need to know about how useful it is.

Webauthn is not an integrity attestation; it doesn't tell you anything about how trustworthy the client is. Nor is it a uniqueness attestation; an attacker can mint an arbitrary number of different identities at basically no cost. It's a primitive for building account security systems, not one for building abuse prevention ones.

Some relevant HN threads:

https://news.ycombinator.com/item?id=27141593

https://news.ycombinator.com/item?id=27153254

https://news.ycombinator.com/item?id=27500326

there is attestation of the registration device in webauthn

so you can tell that a token was signed by an official yubikey, apple secure enclave, tpm, etc

for yubikeys the attestation signing certificate is shared between devices, but this number is limited

so you could rate limit... just it would be a horrible experience when you are limited

What about for software implementations like 1Password and Bitwarden?

They can't fake the attestation from hardware implementations so you could just reject keys from software implementations.

Wouldn't companies/bots/etc. still just get around this by buying many such hardware devices and automating their usage instead?

So what about users that don't have any such hardware?

Use a CAPTCHA?

Yes of course, but I hope this is part of the plan. Too often new technologies seem to leave some people apart, because the deciders don't think (or don't want to think) about those who don't want to (or can't) embrace a specific technology.

Yeah but that breaks real usecases from real users.

It's really annoying, PayPal does this too. They only support passkeys in safari or chrome, even though it works just fine with a yubikey in Firefox. They just go out of their way to stop it from working. Really really annoying.

And they also refuse to enroll more than one token even for the basic fido2 mfa.

I don’t see that in the code. But you’re right that there is something heuristic you can do.

Here is a relevant discussion about it in S/O: https://stackoverflow.com/questions/67797804/how-to-distingu...

the cynic in me thinks this will become mandatory on major websites at some future point

so you won't be able to log into youtube unless you have a TPM approved by Google

As other commenters have said, a better solution needs to be something that is prohibitively difficult for bots to mint.

I’m sure there are a few contenders in the space but one I’m aware of is [worldcoin](https://world.org/)

Worldcoin has always creeped me out since this:

https://d1sr9z1pdl3mb7.cloudfront.net/wp-content/uploads/202...

Saruman's vacation pics?

Giving biometric data to Sam Altman has to be one of the worst ideas we could pursue. Not only is Worldcoin a know scam, rightfully being banned in several countries, Sam and OpenAI are one of the major reasons realistic-looking misinformation became easier to proliferate.

He’s done enough damage, let’s not make the creator of the problem in charge of the “solution” that benefits him too.

https://www.buzzfeednews.com/article/richardnieva/worldcoin-...

https://www.technologyreview.com/2022/04/06/1048981/worldcoi...

Honestly I just want government backed digital ID for this stuff.

I know the concerns.

I no longer care. The benefits outweight the costs, imho. I want to be able to tell a site "yes I'm Martin here's proof either ban me or let me in but stop making me jump through hoops to prove ID.

And so that social sites I use will no longer have to deal with undesired non-unique accounts for bot swarms and sockpuppets and the like.

The political usefulness of swarms of bots and sockpuppets is why I have conspiracy theories about the conspiracy theories about digital ID.

Props for sharing what's probably a ubiquitously hated opinion on HN.

Here are two of my own, just to join in:

1. Social credit score system. We should all be able to point our phone at antisocial behavior and damage their score. Until then there's pretty much zero recourse against people who have hostile social behaviors that don't commit a crime (like arguing with the McDonalds employee or causing a scene when someone asks them to turn down their music on the bus). People hate on "Karens" but they're actually our last remaining line of defense against these people.

2. As soon as you get on a public road, the government should have dystopian-level control over your car. You can't speed. You can't run a red light (or it will be video recorded and you'll be insta-billed). When there's a wreck, the camera feed in all nearby vehicles is auto-uploaded to the net so all parties can see what happened, no fuss. Break the rules a few times? That's fine, you get your government issued tiny zip car for a year and we'll see if you can respect the shared roads after that. And, of course, alcohol breath analysis to drive.

All shown in https://en.wikipedia.org/wiki/Nosedive_(Black_Mirror)

Also in https://orville.fandom.com/wiki/Majority_Rule

> 1. Social credit score system. We should all be able to point our phone at antisocial behavior and damage their score. Until then there's pretty much zero recourse against people who have hostile social behaviors that don't commit a crime (like arguing with the McDonalds employee or causing a scene when someone asks them to turn down their music on the bus). People hate on "Karens" but they're actually our last remaining line of defense against these people.

I don't think you'll actually want to live in a society that works like this. It's called a panopticon. Like some experimental prisons or the DDR which was basically a nation-prison. Everyone will be living a fake life trying to look good while hiding their real wants and needs. This is not natural for people.

And those things are not crimes for a reason. We can't possibly criminalise every little thing that might annoy someone. Some people are jerks or have a bad day, yes. That's no reason to obliterate the concept of privacy.

Also, something that annoys some people will be loved by others. Opinions are like assholes. Everyone's got one.

> As soon as you get on a public road, the government should have dystopian-level control over your car. You can't speed. You can't run a red light (or it will be video recorded and you'll be insta-billed). When there's a wreck, the camera feed in all nearby vehicles is auto-uploaded to the net so all parties can see what happened, no fuss. Break the rules a few times? That's fine, you get your government issued tiny zip car for a year and we'll see if you can respect the shared roads after that. And, of course, alcohol breath analysis to drive

Just get the self driving cars already. Then there is no more need for traffic policing. And we can just spend our time in the car as we wish. No need to go all Draconian and from a tech difficulty point of view it's similarly heavy.

> I don't think you'll actually want to live in a society that works like this

If you don't have social credit or some other kind of consequences... then people will continue to abuse things because there is no guilt/shame/fear for their actions. But if you DO have it, then as you say it leads to a fake and unnatural way of living.

Perhaps the answer is somewhere in the middle?

>... point our phone at antisocial behavior and damage their score.

wow! That's going to work well. Groups never gang up to bully people they disagree with.

Why would a social credit score system powered by technology help? Will there be punishments if your score drops too low?

You may have already seen it, but OpenPassport allows for partial disclosure of passport data. It's less applicable to the use case of the OP and more applicable for e.g. one time account verification.

https://github.com/openpassport-org/openpassport

I don't have any strong view either way on the government ID verification for online services. At least in theory though, the concept of partial/selective disclosure of passport data seems to be a good middle ground between proving humanity and maintaining privacy.

There is a US government authentication system (login.gov).

It does nothing on Linux.

In Chrome devtools, use WebAuthn > Enable virtual authenticator environment to see the result.

It worked fine on Mac, curious how does it work on Windows?

Windows has had TPM-backed authentication mechanisms baked in for a while now. For devices lacking biometrics, you authenticate with your Windows PIN/password, use a phone, or use a yubikey or similar device. Or, on any OS, you can use addons like Bitwarden to take over WebAuthn for you.

I do wonder what the macOS workflow looks like, especially if you don't have a fingerprint reader on your keyboard.

No need for passkeys, just a back and forth between your physical secure key and the browser.

I don’t think you understand the problem space. Although, this is a great alternative for SMB’s who aren’t being targeted by attackers who are writing tools specifically for their business.

But, also.. A hardcoded “what’s 7\1=“ would also achieve the same outcome.

Barrier to beat is “can the attacker put together a webauthn emulator”. Low, but will work for many organisations for a long time.