-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passkeys support #5527
Comments
I've started a fork here: https://github.com/tcannonfodder/devise ; and will start working on PRs to begin the process. I'd definitely appreciate any help from contributors who also want to see this happen |
Thanks for doing this work. |
Any updates on this? |
Hoping to get back on this soon! Work’s been busy, plus not having any guidance from the maintainers is…demoralizing |
This is the kind of project I would actually be happy to put money behind to facilitate the upgrade. We use devise in a load of projects and official support for things like passkey and 2FA would be a dream. |
@rmaspero Yes, that would be great. For 2FA you can use this gem: https://github.com/tinfoil/devise-two-factor |
For those following the progress: I did another batch of renaming existing models & classes to prefix the appropriate ones with Next up will be working on underlying data models for passkeys |
@tcannonfodder first, my apologies for not getting back here earlier. I've been super behind on all OSS-related things, trying to do some catch up work here again this year. Second, appreciate the write up and initial work on the passkey support / feature. I can definitely see a future where Devise works out of the box with passkeys, even though I'm not yet super familiar with how they work. (admittedly, that's one area I need to catch up a bit on as well) I am slightly afraid of renaming all.the.things though, and breaking lots of apps and libraries out there that rely on the current naming & structure of things, for example controllers can be inherited from, etc., so it needs some careful consideration on any renaming. I do have plans to release some breaking changes and major versions in the near future, but maybe one thing at a time. 😅 For now though, I have some other priorities to get through here, initially getting Devise + Turbo working fully out of the box, and then going from there. In the meantime, have you done any passkeys integration with Devise as-is? I'd like to look at (and perhaps, even implement some) integration code myself, before having a better idea of what changes would be necessary to have something like this better baked into devise itself. But like I said, I think it's definitely something that Devise could support entirely in the future. @rmaspero @collimarco I've had the need to review an OTP/2FA implementation somewhat recently, and have been considering a more official devise + 2fa basic integration, nothing concrete, don't want to overpromise anything yet, but maybe expect to hear more on that in the near future. |
@carlosantoniodasilva Thanks for the great news. For 2FA maybe you could consider a merge of this project into Devise: https://github.com/tinfoil/devise-two-factor It works very well, and it would be nice to have compatibility in the future. The only part that is missing are the views, which maybe Devise could provide. |
An important note about passkeys and OTP/2FA is that passkeys supersede 2-factor authentication methods; because it's baked into the passkey protocol (as mentioned in the documentation as part of the "Passkeys replace multi-factor authentication flows (or alternatively: passkeys use MFA by default)" section). If there's a roadmap to have Devise support passkeys out of the box, which would involve a migration by apps & libraries, I think the best course of action is should go directly to passkeys rather than implementing OTP/2FA. The reasons behind that thinking are:
Note: Updating the original list of documentation with an FAQ from the FIDO alliance |
No worries at all, I get it! OSS work is difficult, and takes a lot of time/energy (hence why I also had to take a break) Thanks for getting back to me.
It's an exciting new feature, I love talking about it! Some helpful links to orient yourself (pulling from the original issue & some of my own research):
Yeah, it's a big breaking change. That's why ideally there would be a lot of communication, multiple point-releases where things are marked for deprecation, and a clear & concise upgrade guide. Happy to help out with all of that as well, to ensure a smooth migration. Unfortunately, I don't really see a way around it. Decoupling passwords out of Devise's core concepts such as authentication, registration, and sanitization is a crucial first step in supporting passkeys. That makes it clear where the separation of concerns lies between:
Since it's already going to require changes from apps/libraries, I think it's better to make Devise as explicit as possible with the separation of concerns, and smooth the migration process with all the ideas mentioned above.
Totally understand, that's important! I don't currently have any passkey integration with Devise as-is. I have implemented a passkeys authentication layer in non-Devise authentication systems, which is what lit the fire in me over getting Devise upgraded to passkeys (so we can all benefit from passkeys!) Now that I have the first 2 parts of renaming to decouple passwords from Devise, I can start work on the passkeys data models & implementation. Once I start with that, I can make a demo Rails app using the fork, and link to it here; so we can review and refine it! :) |
@tcannonfodder I don't see Passkeys as a replacement for Authenticator apps in the immediate future, I see them as something complementary that can coexist:
|
I agree that there are some challenges that need to be fixed with passkeys currently, but there are workarounds and solutions. A concrete example I've run into is labelling passkeys for different subdomained apps: a solution there is to store the key as a resident key (for a pure passwordless experience), and clearly label the key through the username (eg: And the problems are being solved pretty quickly, as far as browser/OS standards bodies go! Especially considering how many big companies are on the board: https://fidoalliance.org/members/ The "Most applications don't have support for passkeys" is a chicken/egg problem, and part of why I've been working to get a first-class implementation in Devise itself. There are a few factors that impact adoption:
Making sure we get a first-class passkeys implementation correct resolves the first 2 points, and having good documentation helps immensely with point 3. It's frustrating, but understandable, that more apps haven't adopted passkeys; but part of that is making sure Devise supports it out of the box with a clear, straightforward implementation. Once that's in place, it becomes a lot more easier to prioritize migrating to passkeys on a roadmap. And, if it's the default for Devise, greenfield apps support get it to start with; driving up the demand for passkey implementations for existing apps. Win, win! 🎉
This pattern of password + second factor is a bad implementation, caused by slow bureaucracy, miscommunication, and legacy authentication schemes. Technically, using a built-in authenticator (as listed in the Heroku docs), isn't a passkey. It's using the Some notes about this from the passkeys FAQ:
The migration process is going to be slow, so we should make it as direct & painless as possibleSince we already know that the migration process is going to be long; Devise should be focused on setting up users of the library for long-term success. In my mind, that includes:
Again, there are other libraries that provide OTP & other MFA methods for Devise. So in my mind, the question becomes one of priorities & maintenance for Devise: Do we take time to implement OTP & other MFA authentication schemes, write up all the documentation for that, deal with the maintenance & issue overhead; and then ask apps/libraries to go through the process of migrating to passkeys? That would certainly slow down the adoption of passkeys industry-wide by making it unclear why someone should do the work on mucking about in their authentication layer twice. In my mind, it is better to skip the intermediary step and go right to passkeys, since there's already existing solutions for passwords + MFA for Devise through external libraries. It makes greenfield apps better out of the gate, it makes Devise easier to maintain by having a smaller codebase, and it helps clarify what the ideal authentication path is (part of why folks use Devise to start with) |
Started a testbed Rails app to sketch out an implementation; will take me a while as I get used to Devise's codebase (rather than just renaming stuff): https://github.com/tcannonfodder/devise-passkeys-testbed-app/tree/sketch RE: example implementation for passkeys. Cedarcode (the maintainers for the webauthn gem) have an example app for passwordless login: https://github.com/cedarcode/webauthn-rails-demo-app |
Status update: I've got a experimental, not production ready, very rough sketch, 1,000,000% serious do not use this in production, yes even you implementation in: https://github.com/tcannonfodder/devise-passkeys-testbed-app/tree/sketch Going to start detangling & refactoring it out into usable bits, but wanted folks to know progress is being made. |
Another status update: I implemented a Warden strategy for WebAuthn, which will be the foundation for any devise implementation of passkeys. The code is here: https://github.com/ruby-passkeys/warden-webauthn Note that there isn't any documentation yet, but there are tests and it's got 100% code coverage. I'm also asking any security researchers to give the code a look, because again, it's a foundational piece of code Likewise, there is now a GitHub organization for passkey related libraries for Ruby https://github.com/ruby-passkeys |
Some updates:
Maintainers and help are desperately needed for this, see the following list of things where help is needed: https://github.com/ruby-passkeys#help-needed Again, this code needs security reviews, documentation, and general polish from folks with more devise experience than I do (hence the need for maintainers!) @carlosantoniodasilva I know you were looking for implementation examples; hopefully these help! :) |
Thank you @tcannonfodder for pushing on this initiative. From the beginning and after we got https://github.com/cedarcode/webauthn-ruby to a stable place, we always had the plan of adding a Devise extension that would allow its easy usage for users of such a big and spread out library like Devise. I think we're making steps in the right direction overall and the challenge will become integrating into Devise without practically redoing many core things it does. From my personal experience, it's gonna be much easier to put something like passkeys as a first and only factor rather than have it as a second factor. To go back to @carlosantoniodasilva 's question:
Almost 3 years ago, when the concept of passkeys didn't even exist and it was all just plain WebAuthn, our team spent some time, adding it to Mastodon as an experiment. Being today still the active implementation of WebAuthn or Passkeys as one of the second factor offers in there. mastodon/mastodon#14466 Hope this helps and looking fwd to stay tuned and add any value I can to this conversation. |
👋 Updating with some news! I've cut an initial alpha of Note that this is an alpha build, so it should be used with experimental projects. I wanted to get this version cut as soon as the test coverage was finished so that folks could start providing some concrete feedback. There's still a long ways to go, but check it out! And, as always, we need maintainers! |
Wanted to assure folks that this project is still alive; but we need maintainers on it! |
Hey just bumping this a bit. Came across this whilst looking for a passkey solution for rails, and my obvious preference is to use this in tandem with Devise. Is this something that is on the roadmap? Appreciate everyone is extremely busy, but this issue has been open for two years now, with the last update having been posted nearly 1 full year ago. Wondering if the maintainers have had any opportunity as of yet to make progress with this - I can see @tcannonfodder has made a very serious attempt to push this forward up to last year (thank you!). Passkeys aren't going away, and adoption now compared with 2 years ago is substantially improved. It would be great to have an officially supported (and easy) solution for devs to adopt this and have it work gracefully with the rest of Devise. |
Hey there!
With the move towards passkeys (through the FIDO Alliance, Apple's OS updates, Windows Hello, etc.); I think it would be extremely useful for the larger Ruby community to have Devise support passkeys instead of passwords as an authentication method.
After some initial scanning of the Devise & Omniauth wiki, it feels like passkeys support should be baked into Devise itself; because it explicitly replaces passwords. Getting some guidance on how we should move forward would be invaluable.
Passkeys replace passwords (or alternatively: passkeys replace the mechanism of password exchange)
Unlike Shibboleth, SAML, OAuth, etc.; you're not using an external identity to verify a user, the browser & server exchange a public/private keypair instead of asking the user to generate & remember a password. So it doesn't necessarily fit as an Omniauth strategy.
Passkeys replace multi-factor authentication flows (or alternatively: passkeys use MFA by default)
Unlike the multi-factor extensions listed in the wiki, passkeys replace multi-factor authentication extensions because multi-factor authentication is baked into the passkey exchange ceremony (especially with the
userVerification: required
flag).Some relevant links:
Passkeys still use a lot of Devise's features
Since passkeys are simply a replacement for the password mechanism, an app that wants to use passkeys would still ideally want to use the 10 modules listed in devise's feature summary (just tailored for registering passkeys instead of passwords).
How would we proceed?
This is a big change, so it obviously wouldn't happen overnight, but I think for the long-term safety of users (both app that use Devise, and the customers of said apps), decoupling passwords out of Devise and replacing them with passkeys is essential.
I think the roadmap for this would be:
:password
:passkey
Again, getting some guidance on what makes the most sense for Devise would be a huge help. This is a project I believe in, since it raises for floor for everyone, and am happy to help out however I can.
The text was updated successfully, but these errors were encountered: