You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Demo.yubico.com allows you to register a hardware security key (using WebAuthn) as either a second factor (default), or using a resident credential for logging in without needing a password OR username. But the second option (when selecting "Add Security Key) is described by a checkbox that says "Enable passwordless login with this key."
This is misleading because "passwordless" WebAuthn usually refers to using the exact same (non-resident) WebAuthn protocol as MFA registration, but the security key completely replaces the password (and instead requires local user verification, i.e. PIN). The "passwordless" option on the demo site would more accurately be described as "usernameless." The website should be changed to reflect that difference, and perhaps a third more accurate "passwordless" option implemented. It would also be good to specify there that the "usernameless" option will take up limited space on the security key, unlike the other two options.
Demo.yubico.com allows you to register a hardware security key (using WebAuthn) as either a second factor (default), or using a resident credential for logging in without needing a password OR username. But the second option (when selecting "Add Security Key) is described by a checkbox that says "Enable passwordless login with this key."
This is misleading because "passwordless" WebAuthn usually refers to using the exact same (non-resident) WebAuthn protocol as MFA registration, but the security key completely replaces the password (and instead requires local user verification, i.e. PIN). The "passwordless" option on the demo site would more accurately be described as "usernameless." The website should be changed to reflect that difference, and perhaps a third more accurate "passwordless" option implemented. It would also be good to specify there that the "usernameless" option will take up limited space on the security key, unlike the other two options.
Good example of another site that correctly demonstrates this difference here (no affiliation): https://www.passwordless.dev/passwordless
The text was updated successfully, but these errors were encountered: