Module passkey

auth_framework::methods

Module passkey 

Source
Expand description

Pure Rust WebAuthn/Passkey authentication implementation.

This module provides a complete FIDO2/WebAuthn implementation for passwordless authentication using passkeys. It supports both platform authenticators (built into devices) and roaming authenticators (USB security keys) without requiring OpenSSL dependencies.

§WebAuthn Standards Compliance

  • WebAuthn Level 2: Complete implementation of W3C WebAuthn specification
  • FIDO2: FIDO Alliance Client to Authenticator Protocol v2.1
  • CTAP2: Client to Authenticator Protocol version 2
  • CBOR Encoding: Proper CTAP2 CBOR encoding/decoding

§Supported Authenticator Types

  • Platform Authenticators: Windows Hello, Touch ID, Android Biometrics
  • Roaming Authenticators: YubiKey, SoloKey, Titan Security Key
  • Hybrid Transport: QR code and proximity-based authentication
  • Multi-Device: Cross-device authentication flows

§Security Features

  • Origin Binding: Cryptographically bound to website origin
  • User Verification: Biometric or PIN-based verification
  • Replay Protection: Unique challenge for each authentication
  • Phishing Resistance: Cannot be used on wrong domains
  • Privacy Preserving: No biometric data leaves the device

§Algorithm Support

  • ECDSA: P-256, P-384, P-521 elliptic curves
  • EdDSA: Ed25519 signature algorithm
  • RSA: RSA-2048, RSA-3072, RSA-4096 (where supported)

§Registration Process

  1. Challenge Generation: Create cryptographic challenge
  2. Credential Creation: Browser/authenticator creates key pair
  3. Attestation Verification: Validate authenticator attestation
  4. Storage: Store public key and metadata

§Authentication Process

  1. Challenge Generation: Create authentication challenge
  2. Signature Creation: Authenticator signs challenge
  3. Signature Verification: Validate signature with stored public key
  4. Result: Return authentication success or failure

§Example Usage

use auth_framework::methods::passkey::{PasskeyAuthMethod, PasskeyConfig};
use auth_framework::tokens::TokenManager;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Configure passkey authentication
    let config = PasskeyConfig {
        rp_name: "Example Corp".to_string(),
        rp_id: "example.com".to_string(),
        origin: "https://example.com".to_string(),
        timeout_ms: 60000,
        user_verification: "required".to_string(),
        authenticator_attachment: None,
        require_resident_key: false,
    };

    let token_manager = TokenManager::new_hmac(b"dummy_secret", "issuer", "audience");
    let passkey_method = PasskeyAuthMethod::new(config, token_manager)?;

    // PasskeyAuthMethod is now configured and ready for use
    // Registration and authentication flows would be implemented
    // based on the specific passkey implementation requirements

    Ok(())
}

§Browser Compatibility

  • Chrome: Full WebAuthn support
  • Firefox: Complete implementation
  • Safari: iOS 14+ and macOS Big Sur+
  • Edge: Chromium-based versions
  • Mobile: iOS Safari, Chrome Android

§Production Considerations

  • Replace in-memory storage with persistent database
  • Implement proper error handling for unsupported browsers
  • Configure appropriate timeout values for user experience
  • Consider attestation verification policies
  • Plan for authenticator replacement scenarios

Structs§

AdvancedVerificationResult
Result of advanced WebAuthn verification
CrossPlatformVerificationResult
Result of cross-platform verification
PasskeyAuthMethod
Passkey/WebAuthn authentication method implementing FIDO2 standards.
PasskeyConfig
Configuration for passkey authentication
PasskeyRegistration
Stored passkey registration information
TypeSpecificValidationResult
Type-specific validation result

Enums§

AuthenticatorType
Types of WebAuthn authenticators