Best Practices for WebAuthn FIDO2 reset
Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.
The authentication mechanisms
My idea is to encourage the users to use the following two login methods:
- WebAuthn with a FIDO2 token (ideally with biometric security, so something like a VeriMark Guard or a YubiKey. Smartphones also nowadays also offer Face-ID and fingerprint sensors)
- Public Key Authentication like SSH/GPG. The users only need to have their backup public key available somewhere, maybe also published on a keyserver. While the private key remains on an encrypted device, or another hardware token in a different geographical location.
WebAuthn is very useful for registering and logging in on a daily basis, but in case of loss or damage it fails.
I am looking for existing best practices in that domain, regulations or just examples that have done something like this before.
In GitHub and GitLab it's possible to e.g. clone repos via SSH authentication, but not logging in on the websites. Why is this seemingly never possible?
Why is most prominent recovery procedure to input a (usually quite short) recovery code e.g. "2957174". This is even more unsafe than having a password?
And yes I am aware that not everyone has access to the required hardware, so password still login still must be possible.
