Authentication is a fundamental aspect of online security. Still, a lot of times it just doesn’t work, especially when it comes to passkeys. Security keys can cost hundreds of dollars, platform authenticators may take your credentials hostage and who doesn’t love the “upgrade your membership to register a backup credential”. Fortunately, I haven’t experienced at least the last point in the wild for some time now.
In my talk I won’t (and can’t) give you a solution to any of those problems. Instead, I want to share my experience maintaining a ecosystem of Zig packages for FIDO2 / Passkey authentication.
While this talk is going to be a little bit technical, I want to focus on sharing some “best practices” (from my perspective) on what you can do to make “authentication” a little bit better for everyone. Among other things, we’ll talk about why XML might not be the best data format as a foundation for creating a credential database, why you should still use KDBX instead of reinventing the wheel and the benefits of making it easy to integrate with other services. We’ll also take a quick look at where we currently are at offering passkey based authentication for Zig-based applications.
Of course, many of what I want to talk about can also be applied to other aspects of software development.