← Back to context

Comment by lrvick

3 years ago

If possible, implement WebAuthn even if only for human verification.

Bots will not have access to TouchID, Windows Hello, or a Yubikey but most humans have one of those in the device in front of them right now.

Fallback to captcha for edge cases, but then at least /most/ people can skip it.

Example: https://cloudflarechallenge.com/

2 comments

lrvick

Reply
tjohns  3 years ago

Those can all easily be emulated in software, if you're determined enough.

There's nothing about the WebAuthn protocol that forces hardware backed key storage, other than everyone collectively agreeing it's a good idea. A bot author would just ignore that.

Firefox already includes this functionality, gated by flag (security.webauth.webauthn_enable_softtoken).

  • lrvick  3 years ago

    > Those can all easily be emulated in software, if you're determined enough.

    Not possible if vendor signature checking is enforced. All major webauthn device manufacturers sign the keys of all the devices they produce. You can prove a given device is unique and issued by Apple, Yubico, Google, Microsoft, etc.