Implementation of Passkeys Authentication in Directus for Enhanced Security

[vamsii777]

Summary

The proposal involves the integration of passkeys authentication into Directus. Passkeys are a secure, passwordless login method where each passkey acts as a unique digital key that cannot be reused. Unlike traditional passwords, passkeys are encrypted and stored on the user's devices instead of on the company's servers, providing enhanced security against data breaches. This feature will allow users to authenticate using passkeys, thereby reducing the reliance on passwords and enhancing overall account security.

Basic Example

No response

Motivation

Traditional password-based authentication has proven to be vulnerable to attacks such as data breaches and phishing. Introducing passkeys as an alternative to passwords will significantly enhance the security of the Directus platform. Passkeys, being unique digital keys stored in an encrypted format on user devices, are not easily hackable, reusable, or phishable.

Detailed Design

The passkey-based authentication system will use the WebAuthentication (WebAuthn) standard, which uses public-key cryptography. Upon user registration or opting-in for passkeys, the system will generate a pair of keys - a public key that will be stored on the Directus servers and a private key that will be stored on the user's device.

During authentication, the server will send a challenge to the user's device. The private key will be used to sign this challenge and send it back to the server, which will then verify it using the public key, thereby authenticating the user.

Here's a broad overview of what the integration might look like:

1. User Registration
   When a user registers, along with their basic details, Directus should prompt for an additional step of passkey registration. This will involve the creation of a public-private key pair, where the private key is securely stored on the user's device and the public key is stored on the Directus server.

2. User Authentication
   When a user tries to login, Directus should initiate a challenge-response protocol. The server sends a challenge to the user's device, which is then signed with the private key. The signed response is sent back to the server, which verifies it using the stored public key.

3. Support for Multiple Devices:
   Users should be able to register multiple devices, each with its own public-private key pair.

4. Fallback Mechanism:
   A fallback mechanism (like a password or OTP) should be in place in case the user loses access to their registered device(s).

Requirements List

Must have

• Implementation of the WebAuthn standard

Should have

• Seamless transition for existing users to switch to passkey authentication

Could have

• Multi-device support, allowing users to use their passkeys across different devices

Won't have (now)

• Backup or recovery methods for lost passkeys

Drawbacks

• Implementing passkeys may increase the complexity of the codebase
• Not all users may have compatible devices or browsers
• Users may find it difficult to transition from traditional passwords to passkeys

Alternatives

• Two-factor authentication
• Biometric authentication

Adoption Strategy

This feature will be implemented as an opt-in feature, allowing users to choose whether they want to use passkeys or continue using traditional passwords. This ensures that it is not a breaking change. A comprehensive guide will be provided to help users understand the benefits and usage of passkeys.

Unresolved Questions

• What is the best way to handle lost passkeys?

[rijkvanzanten]

Heya! Thanks for opening this feature request!

This request has been fast-tracked by the Core Team, who feels it is an immediate candidate for our formal review process. This means we'll move this feature request to the Under Review category!

The Core team will schedule a meeting to review this request as soon as possible. The discussion will then be approved or denied. You may or may not be invited to join this meeting with the core team.

For more information, see our Feature Request Process.

[madc]

@rijkvanzanten We're currently investigating this topic and would be very interested. Can you keep us up to date on the progress / internal discussion?

[rijkvanzanten]

Nothing yet! Wanna chat through your investigations so far on Discord? I could use some help figuring out what an implementation would look like in real life, as I haven't really experimented with WebAuth before 🙂

[madc]

I'm fairly new to the topic as well, but found this website outlines the process very well:
https://www.passkeys.io

We tested it with Windows pin code, a FIDO key (Solo) and biometrics/fingerprint on the phone/Mac.

The basic idea (as far as I understood) is:
You simply register with e-mail only. You can than add one or more methods of authentication (hardware key, biometrics, ...none of it is a simple password). If you don't add one, you can login via link (email).

[BlackDahlia313]

Would this be something implemented in the SDK for frontend implementation or would we have to integrate something like passkeys.io into the frontend of our sites?

For my non SAML clients and my own personal stuff, I am interested in this.

[useEffects]

Status on this?

[judsd]

I provided more details in #19629 on how this can this can be implemented.