The Duo Blog
Would you like to drop passwords completely from your users’ sign-in experience? With the right settings, the WebAuthn API can easily give you strong assurance that a user is who they say they are without them ever having to enter a password.
Let’s dive into how you can use Duo’s py_webauthn library to enable passwordless user authentication in your Python server.
WebAuthn and Multi-Factor Authentication
Multi-factor authentication is built on the basic tenet, “Something you know, something you have, something you are: pick two.”
It isn’t obvious just by looking at the spec, but WebAuthn can be configured for three discrete “modes” that satisfy different combinations of these factors: two-factor authentication, passwordless authentication, and “usernameless” authentication.
Here, we’ll focus on achieving passwordless authentication by capturing the following factors:
- Physical interaction with a hardware authenticator, like a YubiKey Security Key, for the possession factor (“something you have”)
- The user’s subsequent entry of a PIN or biometric scan for the knowledge factor (“something you know”) or inherence factor (“something you are”), respectively.
Together, these two factors quickly and sufficiently authenticate the user’s identity in a single interaction.
Setting up WebAuthn for passwordless authentication is easy if you leverage one of the many open-source libraries available for most popular programming languages. Let’s see how we can accomplish this with Duo’s own Python-based py_webauthn library.
Setup
py_webauthn can be installed from PyPI with the following command:
pip install webauthn
An example server is available for you to follow along with on Github.
Registration
First, we’ll need to make it possible for new users to create an account. To start, present the user with a form for them to enter th
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: