An excellent follow-up thread by Figma’s Devdatta Akhawe that I wanted to back up here for future review.
See also his prior thread: How Figma Switched Their Okta to Only Allow Phish-proof WebAuthn/FIDO Multi-factor Authentication.
🧵 1/ @mdorsi suggested a follow-up thread on our experience switching to webauthn & so here goes. I will first start with the good parts before jumping into lessons that might be useful for other security teams. If you find this fun, come join us at http://figma.fun/seceng
2/ The Good: Not having to stress out about phishing or come up with “gotchu” phishing campaigns for your coworkers is a significant relief; I strongly recommend enforcing webauthn to every startup, VC firm, or anyone with a small security team.
3/ The Good: While there are people still confused about how security keys work, it seems touchid/faceid support really seems to make webauthn usable and intuitive.
4/ The Bad: webauthn support is still iffy in native login flows. Things that don’t work include Android login to Google account, Asana mobile apps, the iOS simulator in XCode (and other native macos dialogs)
5/ And every major update of OS/machine runs risk of breakage: Touchid registration on Okta for Safari+M1s is currently broken. We also had random errors in Chrome after the upgrade to Monterey (fixed after an extra restart).
6/ Wide use of touchid/faceid means that folks don’t really use Yubikeys and as travel has picked back up, “I forgot my yubikey at home” has become a common lockout scenario (esp with the issues from previous tweet).
7/ Finally, a fun usable security lesson. We relied on the Yubikey 5ci in our rollout. My thinking was “It has both usb-c and lightning connectors so compatible with everything”. Expensive, but hopefully worth it.
8/ The key just wasn’t working for a Figmate though. I start a chat, step by step tests on http://webauthn.io (🙏🏼 Duo!), everything seems fine. But, once when I asked them to plug the key to the phone I see an an HOTP hash in our chat. huh! what!
9/ After a few msgs back/forth, I realize they had connected the USB part of the key to their laptop &, at the same time, the lightning part to their phone. I look at the key again; that’s a completely reasonable assumption!!
10/ I imagine this was never a problem pre-covid where employees walk up to helpdesks. Nothing like real world testing though! We updated our guides to be clear about unplugging the yubikey from the laptop before connecting to phone!
11/ So, what comes next? Well, webauthn only helps with credential phishing. Social Engineering is still a big problem and we are plotting some pretty cool new ideas. Come join us: http://figma.fun/seceng We are looking for engineers with all levels of experience