[GH-ISSUE #298] Migrate/support new WebAuthn protocol instead of U2F #817

New issue

Closed

opened 2026-03-14 10:43:44 +03:00 by kerem · 2 comments

kerem commented 2026-03-14 10:43:44 +03:00

Owner

Copy link

Originally created by @rugk on GitHub (Jun 9, 2022).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/298

AFAIK U2F is kind of deprecated nowadays and WebAuthn should be used instead. It has some more features like passwordless authentication and some other integrations for other attestation stuff not only from hardware keys, but AFAIk it's a different API and thus you may need to adjust something.

These resources here may provide more information:

• https://webauthn.guide/ (more user oriented)
• https://webauthn.io/ (more technical)
• https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
• There are not many sites explaining the differences I could find and here is one of them, but it may not be the best, actually.

See/Compare it with Nextcloud, who deprecated their whole implementation of U2F in https://github.com/nextcloud/twofactor_u2f and switched to https://github.com/nextcloud/twofactor_webauthn. Interestingly how they implemented it is that you can optionally also use your hardware key for passwordless authentication, but you explicitly need to register it for that.
For such a thing, IMHO; I would also be fine with Anonaddy.

What may be done

• Change the code so it uses WebAuthn (and U2F only as a fallback, for hardware keys, which don't support it yet? Or maybe that is somehow automatically done?)
• Change all references in the UI to include less-technical terms (hardware key) or only as an addition include WebAuthn/U2F. Prefer "WebAuthn" if possible, as that is the latest stuff and also sounds better… 🙃

Originally created by @rugk on GitHub (Jun 9, 2022). Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/298 AFAIK U2F is kind of deprecated nowadays and _WebAuthn_ should be used instead. It has some more features like passwordless authentication and [some other integrations for other attestation stuff not only from hardware keys](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/Attestation_and_Assertion), but AFAIk it's a different API and thus you may need to adjust something. These resources here may provide more information: * https://webauthn.guide/ (more user oriented) * https://webauthn.io/ (more technical) * https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API * There are not many sites explaining the differences I could find [and here is one of them](https://blog.strongkey.com/blog/guide-to-fido-protocols-u2f-uaf-webauthn-fido2), but it may not be the best, actually. See/Compare it with Nextcloud, who deprecated their whole implementation of U2F in https://github.com/nextcloud/twofactor_u2f and switched to https://github.com/nextcloud/twofactor_webauthn. Interestingly how they implemented it is that you can optionally also use your hardware key for passwordless authentication, but you explicitly need to register it for that. For such a thing, IMHO; I would also be fine with Anonaddy. ## What may be done * Change the code so it uses WebAuthn (and U2F only as a fallback, for hardware keys, which don't support it yet? Or maybe that is somehow automatically done?) * Change all references in the UI to include less-technical terms (hardware key) or only as an addition include WebAuthn/U2F. Prefer "WebAuthn" if possible, as that is the latest stuff and also sounds better… :upside_down_face:

kerem closed this issue 2026-03-14 10:43:49 +03:00

kerem commented 2026-03-14 10:45:03 +03:00

Author

Owner

Copy link

@willbrowningme commented on GitHub (Jun 16, 2022):

Currently in the process of upgrading to v3 of https://github.com/asbiin/laravel-webauthn so I will close this once that is complete.

I'll update the references to U2F too, thanks.

<!-- gh-comment-id:1157391545 --> @willbrowningme commented on GitHub (Jun 16, 2022): Currently in the process of upgrading to v3 of https://github.com/asbiin/laravel-webauthn so I will close this once that is complete. I'll update the references to U2F too, thanks.

kerem commented 2026-03-14 10:45:08 +03:00

Author

Owner

Copy link

@willbrowningme commented on GitHub (Jul 14, 2022):

Latest release now pushed to the server with Laravel WebAuthn v3 so this can be closed.

<!-- gh-comment-id:1184181966 --> @willbrowningme commented on GitHub (Jul 14, 2022): Latest release now pushed to the server with Laravel WebAuthn v3 so this can be closed.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.5.0

v1.4.1

v1.4.0

v1.3.8

v1.3.7

v1.3.6

v1.3.5

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.14.1

v0.14.0

v0.13.13

v0.13.12

v0.13.11

v0.13.10

v0.13.9

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.1

v0.10.0

v0.9.1

v0.9.0

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.5

v0.7.4

v0.7.3

v0.7.2

v0.7.1

v0.7.0

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.0

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/anonaddy#817

No description provided.