Feature request: WebAuthN support for accounts (Passkey and Security key)

[Zac0511]

It would be nice to add WebAuthN support for an account's security, which would support for :

• Passkeys (saved on mobile devices, Windows Hello, or password managers)
  • Work both as 2FA and also a way to login ("Login with Passkey" button without even typing an email), and could also allow the user to delete their password to use Passkey only sign in
• Physical Security Keys (Yubikey, Google Titan key, etc)
  • Work as 2FA only

This could make Puter accounts more secure (at least for people who set it up), and also, with Passkeys, make logging in quicker and easier.

Note: yes i do know i already made an issue about passkeys (#379) but this new issue is better and includes physical security keys.

[mohnishbaker]

I would like to work on it please assign it to me.
I am new to open source contributions please assign me any new issue if you feel I should work on this.
Thanks I would really like to try and contribute.
I have setup puter on my local.

[jelveh]

@mohnishbaker Assigned! Let us know if you need help

[mohnishbaker]

Hi @Zac0511 , @jelveh ! I have completed the webAuthN implementation using 2FA, Passkey and singIn using passkey
I was working on implementing the password-less signIn and remove the password implementation for that I had a few questions regarding that :
1). After removing the password should we give the option to add password instead of change password ?
2). If someone has 2FA enabled and has removed the password and tries to deactivate the 2FA what should be the case for that because 2FA requires password to be disabled ?

Thank you.

[Zac0511]

Hi @Zac0511 , @jelveh ! I have completed the webAuthN implementation using 2FA, Passkey and singIn using passkey I was working on implementing the password-less signIn and remove the password implementation for that I had a few questions regarding that : 1). After removing the password should we give the option to add password instead of change password ? 2). If someone has 2FA enabled and has removed the password and tries to deactivate the 2FA what should be the case for that ?

Thank you.

For 1, yes the change password button could become and add password button, for 2, 2FA could be disabled (since logging in via passkey most of the time also bypasses 2FA), as long as the passkey CANNOT be deleted if there is no password, or else the user would get locked out of their account.

[mohnishbaker]

Hi @Zac0511 @jelveh, I have completed the feature implementation and raise a PR. Please review it. Thank you.

PR: #2846

[mohnishbaker]

Signed the CLA. Thank you.

[Salazareo]

Hi @mohnishbaker thanks for the contribution, unfortunately we were in the middle of a big rewrite to our backend so your changes got caught in the middle.

could you port them over to new structure?

[mohnishbaker]

@Salazareo , Sure on it.