I've been working on a project and one of the requirements that came up is offline authentication. On the web what we would like to do is ask the user to login using their device authentication for example touch ID and face ID on iOS devices. I know webauthn exists, but the current spec requires the server to respond with a challenge. Can this challenge be cached with say a service worker? Will the spec still work like this? Can I use a service worker to cache the challenge then feed it back to the user when offline. If not are there any other options for offline authentication?
Asked
Active
Viewed 271 times
1 Answers
2
Caching of response - not good:
It depends on your authentication implementation. If the client authentication requests with the same password are different each time (because you use nonce, or because you encrypt password), then it is not easy to determine if two requests mean the same password. Thus it is not easy to decide if the cached response should be returned for particular request or not.
The cached response may contains some data that depend on time and that are expired. Thus you will have to implement some logic to deal with it.
Hashing of credentials - better:
I'd suggest other approach.
After successful online authentication you can hash the credentials using some key derivation function like Argon2 and store them locally. In case somebody breaks into your app and obtains the hash, it will not help to retrieve the password.
In the offline mode during authentication you can calculate the hash of credentials using the same hashing parameters (same salt, number of iterations, memory factor) and compare it to the cached one. If they match, credentials are correct.
mentallurg
- 8,536
- 4
- 26
- 41
-
I'm using my own implementation of Kerberos authentication protocol for login. Calculating hash and storing locally is definitely an option. That actually makes a lot of sense, thanks mate. – Nxte Jan 07 '21 at 04:17