-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Deterministic Passkey Generation ENG-487 #23
Feat: Deterministic Passkey Generation ENG-487 #23
Conversation
Michael and I did a test run. Unfortunately, when you wish to use passkeys to sign into Github, there's no step where you input your email and then GitHub responds with the UserId. Instead, it just presents a "sign in with passkey" button, which when you connect your phone, will prompt it for the Credential Id. However, if you've just re-installed Liquid Auth, it will be empty, mnemonic or no, there will be no passkey Credential Id to present. A solution is proposed as follows:
This solves the problem. However, by replacing the UserId with the UserHandle we, we lose passkey continuity for a service where a user switches their UserHandle (e.g. their GitHub username) to a new one. If they try to recover Liquid Auth they will need to type in their old UserHandle to generate the passkey that is registered. A UI solution could be as follows. If someone changes their UserHandle, the next time they do a sign in with passkeys, if we can presume that there will be a flow of information (indexed by the Credential Id) where the (new) UserHandle will be included and made available to LiquidAuth, it can check with the UserHandle stored on the phone. If it notices that the passkey was generated with the inclusion of an old UserHandle, it can flag that passkey as being "dirty" and encourage the user to create a new passkey - this one generated with the new UserHandle. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested against the current app and the staged refactor.
Both worked well and recovery went through as expected for third party sites
* feat: first demo of P256 * feat: deterministically generate cred id * feat: new dP256 jar file with BC * fix: does signing with java.security * chore: rename method name * fix: problems with merge * feat: only ask about mnemonic the first time * feat: separate the storing of derived secrets from credentials * fix: make dialogues better, not as cancellable, etc * chore. remove comments * feat: changes from UserId --> UserHandle and introduces a manual recreation button * chore: replace dP256 jar with one that has userHandle instead of userId * fix: take lowercase of userHandle to avoid confusion * chore: UI fixes
# [1.0.0-canary.6](v1.0.0-canary.5...v1.0.0-canary.6) (2024-09-13) ### Features * Deterministic Passkey Generation ENG-487 ([#23](#23)) ([f271bc4](f271bc4))
ℹ Overview
Introduces: https://github.com/algorandfoundation/deterministic-P256-kt
Summary: Adds the ability to set a mnemonic, generating passkeys deterministically based on the origin and user id.
In detail:
✅ Acceptance: