Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.    By click

Search code, repositories, users, issues, pull requests...

submited by
Style Pass
2025-01-09 22:30:07

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Adding a way to use webauthn without Javascript should be considered. For example most Tor users have Javascript always disabled, and having a way to use webauthn without JS would allow use of 2FA in Tor. Also, some projects want to be fully usable without the use of JS, and having a way to use 2FA would open the way for those projects too. I'm not too sure how it should be implemented though. Maybe <input type="webauthn">?

At GitHub, we try to minimize the use of Javascript on the frontend. We have plain forms at the core of most forms of authentication (e.g. username, password, SMS, OTP). There are some good reasons to use JS for webauthn, but in principle it would be nice if it was possible to shed the overhead in favor of simplicity for the common case.

yeah, nominally ISTM this'd require defining some form of declaration for the webapp to make that it wishes to employ webauthn and possibly defining a common format for conveying the webauthn bits between the client platform and the RP front-end server.

Leave a Comment