Preventing registration on multiple devices

[mar1n3r0]

I have read the considerations about avoiding turning webauthn into a super cookie but the whole point of biometrics is to be able to identify a user on any device. So imagine the following use case. You are developing a wallet for universal basic income. To avoid malicious behavior you want to make sure a user can register only once and can't get new wallets from new devices. Is there a way to achieve that while maintaining the security per device? Is it possible to avoid tracking while covering this use case?

[timcappalli]

Most default authenticators create synced passkeys which are available on all of a user's devices. As passkeys are intended to replace phishable sign in credentials, this is by design.

Note that WebAuthn is not a biometrics API , biometrics are not required, and they can't be enforced.

[mar1n3r0]

Thanks, that clears it up perfectly. What if the user creates a new account? For example a new Google account which is tied to its own Google Password Manager instance. Then the user can again create as many accounts and as many wallets as he wishes?

[timcappalli]

Not sure I fully understand the question. A user can create a passkey in any credential manager they choose. If they have multiple credential managers, they can have multiple passkeys, by design.

[AdityaMitra5102]

Not sure I fully understand your use case but we can deal with it this way:

When enrolling for the first time, make the key 'non-resident'. This will ensure it is not synced across his devices. Also you may enforce user-verification (UV) which ensures that the user will have to either use his biometrics or device screen lock to use the key.

Now in your database you maintain the credentialId of this device against your username.

Now your idea is that one user should be able to use only 1 credential manager. That cannot be enforced using webauthn or passkeys. You have to enforce that using some other design like govt id verification or something.

And I don't understand what you mean by 'avoid tracking'. Webauthn is not used for tracking users anyways.

[timcappalli]

When enrolling for the first time, make the key 'non-resident'. This will ensure it is not synced across his devices

Most authenticators available to consumers will always create passkeys.

[AdityaMitra5102]

I haven't tested this behavior for a long time but last I tested, if the residentKey field is set to be discouraged , it usually does not prompt to create a passkey. Atleast on android devices running Google Password Manager and Chrome.

Edit: Just tested it using WebAuthn.io. If the Discoverable Credential field there is set to be 'Discouraged', it is not creating passkeys.

[esteluk]

Sadly it does on iOS.

[mar1n3r0]

Will try to clarify here the scenario. So the idea of biometrics in general is to prove uniqueness. That is no two people can have the same fingerprint. This allows for basically replacing any other forms of verification such as official IDs. The problem I have with WebAuthn is that based on that same fingerprint it creates different public keys every time(a deterministic input produces non-deterministic output) thus preventing me from understanding if it's the same user on another device. The authenticator knows precisely who the user is because of the actual biometrics data but the developer doesn't. The only way to tell is by comparing public keys. Anything else discussed is side-tracked to that simple scenario.

So it all boils down to this: Is it possible for me to guess if the same person is sitting in front of two different devices based on public keys when he tries to register and has no shared keys?

[AdityaMitra5102]

No. It is not possible with WebAuthn. In context of WebAuthn, biometrics just signify that you are the owner/ authorized user of the device. There is no way to extract biometric information from the credentials.

On a seperate note, I would suggest you to not use WebAuthn for this use case. Instead you may use some services like CloudScanr that would help you achieve your goal.

Note that these services like CloudScanr does not support your smartphone's inbuilt fingerprint scanner. You may have to connect one via USB. Or you can use facial recognition to get to your goal without any added hardware.

[mar1n3r0]

Thanks. Anything cloud-based and not open source is out of the equation. My use case is a P2P open system based entirely on Linux devices. WebAuthn fit the bill perfectly when it comes to single device as it proves who the user is and is browser-native.

[AdityaMitra5102]

This answer is not related to webauthn or passkeys.

I had run into a similar scenario once. I decided to build my custom algorithm for that. Though it may not be full proof, my algorithm was with facial recognition. Completely on-device. It went in the lines of:

1. Taking a picture of the user using the webcam. (Use OpenCV)
2. Scale and align the picture to a fixed size.
3. Take the distances of the facial features (68 facial landmarks from dlib) from a fixed point and store them in the list.
4. Introduce an error level to accommodate for camera quality, lighting, angle etc.
5. Hash the list and generate ECDSA keys from the hash.
6. Use that ECDSA keys in the same way as webauthn.

Here, no matter whichever device the user uses, his facial features will generate the same key everytime.

Further if your linux systems can be regulated, you can add Presentation Attack Detection (PAD) to mitigate presentation attacks.

I am unable to open source my project rn but a demo video is available https://youtu.be/5-XFS4uKxxk

You may implement something based on this or a similar algorithm.

[mar1n3r0]

Awesome. Thanks for the tips.

[mar1n3r0]

@AdityaMitra5102 I managed to implement it for my use case. I have a question though. How do you generate deterministic keys given that the slightest movement changes the input data? Do you allow some tolerance for that or use any other technique?