WebAuthn for offline authentication

[ConstantinFF]

Hi @MasterKale

Great library, and super nicely written documentation, easy to follow.

I am trying to figure out if WebAuthn can be used for fully offline authentication.
I do understand that it is supposed to work online, together with a server,
but I find some features very useful. Here is a user scenario.

1. User goes to an offline web app and creates account using their Authenticator.
   Serverside is also handled by the browser
2. User logs in using their Authenticator to obtain their private key
3. Using the private key User can decrypt anything previously encrypted and stored locally

I believe my question is also related to: #299

[MasterKale]

Hello @ConstantinFF, in the case of a fully offline app (perhaps an offline Electron app that wants to protect login with WebAuthn), I don't see why you couldn't keep everything locally. Part of the issue with using SimpleWebAuthn for this is that it was so tightly coupled to some Node data types. As you observed #299 is attempting to decouple this project from Node, and some initial testing suggests that it will probably work, and lay the ground work for some tweaks here and there to support other runtimes.

I hadn't had it on my roadmap to test #299 in an Electron project as I've not done any Electron development to date (short of running a sample app for what I think was a precursor to Electron Forge.)

But getting back to your original question, I think the potential downside to having authentication handled completely client side is that someone could very easily override the app to simply never do authentication, trick the app to think the user is always logged in without ever doing WebAuthn. Hence there's been a need for a remote server to do the validation of WebAuthn responses as it's harder to attack. If you're not trying to harden the Electron app, but simply provide a simpler "unlock" experience then maybe WebAuthn is what you want, with the caveat that you don't want to ensure users it's uber safe when in reality anyone could come in, modify the Electron app's files, and bypass authentication entirely. This is true of any such client-side-only authentication, of course, not just those that use WebAuthn.

Does this answer your question?

[ConstantinFF]

I continue researching the case.

The closest feature that I am looking for might be largeBlob extension https://w3c.github.io/webauthn/#sctn-large-blob-extension

My idea is to keep local data encrypted. When a user goes through the webauthn challenge locally, that to always result a token/password with which locally stored data would be decrypted.

Related:
https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#sctn-credBlob-extension
w3c/webauthn#1595