Module passkey

auth_framework::methods

Module passkey 

Source
Expand description

Pure Rust WebAuthn/Passkey authentication implementation.

This module provides a complete FIDO2/WebAuthn implementation for passwordless authentication using passkeys. It supports both platform authenticators (built into devices) and roaming authenticators (USB security keys) without requiring OpenSSL dependencies.

§WebAuthn Standards Compliance

  • WebAuthn Level 2: Complete implementation of W3C WebAuthn specification
  • FIDO2: FIDO Alliance Client to Authenticator Protocol v2.1
  • CTAP2: Client to Authenticator Protocol version 2
  • CBOR Encoding: Proper CTAP2 CBOR encoding/decoding

§Supported Authenticator Types

  • Platform Authenticators: Windows Hello, Touch ID, Android Biometrics
  • Roaming Authenticators: YubiKey, SoloKey, Titan Security Key
  • Hybrid Transport: QR code and proximity-based authentication
  • Multi-Device: Cross-device authentication flows

§Security Features

  • Origin Binding: Cryptographically bound to website origin
  • User Verification: Biometric or PIN-based verification
  • Replay Protection: Unique challenge for each authentication
  • Phishing Resistance: Cannot be used on wrong domains
  • Privacy Preserving: No biometric data leaves the device

§Algorithm Support

  • ECDSA: P-256, P-384, P-521 elliptic curves
  • EdDSA: Ed25519 signature algorithm
  • RSA: RSA-2048, RSA-3072, RSA-4096 (where supported)

§Registration Process

  1. Challenge Generation: Create cryptographic challenge
  2. Credential Creation: Browser/authenticator creates key pair
  3. Attestation Verification: Validate authenticator attestation
  4. Storage: Store public key and metadata

§Authentication Process

  1. Challenge Generation: Create authentication challenge
  2. Signature Creation: Authenticator signs challenge
  3. Signature Verification: Validate signature with stored public key
  4. Result: Return authentication success or failure

§Example Usage

use auth_framework::methods::passkey::{PasskeyAuthMethod, PasskeyConfig};

// Configure passkey authentication
let config = PasskeyConfig {
    rp_name: "Example Corp".to_string(),
    rp_id: "example.com".to_string(),
    origin: "https://example.com".to_string(),
    timeout: 60000,
    require_user_verification: true,
};

let passkey_method = PasskeyAuthMethod::new(config, token_manager)?;

// Registration flow
let reg_challenge = passkey_method.start_registration(
    "user123",
    "user@example.com"
).await?;

// Authentication flow
let auth_challenge = passkey_method.start_authentication("user123").await?;

§Browser Compatibility

  • Chrome: Full WebAuthn support
  • Firefox: Complete implementation
  • Safari: iOS 14+ and macOS Big Sur+
  • Edge: Chromium-based versions
  • Mobile: iOS Safari, Chrome Android

§Production Considerations

  • Replace in-memory storage with persistent database
  • Implement proper error handling for unsupported browsers
  • Configure appropriate timeout values for user experience
  • Consider attestation verification policies
  • Plan for authenticator replacement scenarios

Structs§

AdvancedVerificationResult
Result of advanced WebAuthn verification
CrossPlatformVerificationResult
Result of cross-platform verification
PasskeyAuthMethod
Passkey/WebAuthn authentication method implementing FIDO2 standards.
PasskeyConfig
Configuration for passkey authentication
PasskeyRegistration
Stored passkey registration information
TypeSpecificValidationResult
Type-specific validation result

Enums§

AuthenticatorType
Types of WebAuthn authenticators