WebAuthn is an industry standard specification for accessing Public Key credentials. It defines a set of APIs and interfaces for securely generating keypairs that can subsequently be used for user authentication. The specification is widely supported (Apple, Google, Microsoft) and provides an array of configuration options, each with different usability and security tradeoffs.
In the most usable configuration, platform authentications (Face ID, finger print, ect) provide a simple way for users to securely generate + manage their keypair. Many platforms today include secure elements which can be leveraged through the webauthn api. Passkeys further improve user experience by transparently synchronizing credentials across devices and supporting recovery through the root platform account (i.e. iCloud).
In the most secure configuration, roaming authentications allow specialized hardware to generate credentials and assertions, allowing users to manage their credentials using FIDO2 compliant devices such as Yubikeys or a Ledger (coming soon).
This massive shift in authentication logic is being catalyzed by existing software and hardware providers that represent almost the entirety of the device ecosystem today. Supporting Webauthn credentials allows Starknet to capitalize this momentum, to provide a massive improvement in blockchain usability and, to provide a path for mainstream user adoption.
To summarize:
Standardized
- Supported by all major browsers and vendors
- Platform + Roaming authenticators (FIDO2)
Configurable
- Algorithms (P-256, RS256, ect)
- Extensions (Large Blob Storage)
- Transports (USB, NFC, BLE, HYBRID, INTERNAL)
User Friendly
- Platform authenticators generate + manage key pairs securely
- Key recovery + cross device synchronization done natively (Pass Keys)
Implementation
The flow generally involves a registration step and subsequent assertion steps coordinated by a Relaying Party.
Note: The registration step does not require any onchain logic. It is facilitated offchain, with webauthn signer being naively initialized with the generated credentials public key or being added as an additional credential through the signing of the transaction by an existing key.
Verifying an assertion
In the Starknet configuration, a smart contract implementation of the webauthn assertion logic according to the specification, which enables the use of webauthn credentials for transaction signing.
At a high level, the logic is required to:
- Parse a provided client data json blob to verify it matches expectations. Most importantly, verify the challenge value matches the expectation, typically a transaction hash. The
validation
property is a base64 encoding of the provided challenge bytes, so requires support for either base64 encoding/decoding in starknet. - Parse the provided authenticator data and verify it matches expectations. Most importantly, verify the âuser presentâ and âuser verifiedâ flags are set.
- Hash the client data json using sha256.
- Concatenate
auth data + sha256(client data)
- Hash the concatenation
sha256(auth data + sha256(client data))
- Verify the provided signature matches the expected signature of the hashed data for a given public key.
Current Implementation
At Cartridge, we are eager to unlock the UX affordances provided by Webauthn and have a working implementation of the process described above.
The relevant components are:
- https://github.com/cartridge-gg/cairo-sha256: Efficient sha256 hashing on arbitrary inputs (Hints whitelisted in 0.10.0).
- https://github.com/cartridge-gg/cairo-base64: Efficient felt base64 encoding.
- https://github.com/cartridge-gg/cairo-secp256r1: Cairo implementation of secp256r1 signature verification (initially implemented by EulerSmile).
- https://github.com/cartridge-gg/cairo-webauthn: Efficient onchain verification of webauthn credential data.
Whatâs missing
There are still a few gaps before we can start using this in production.
-
Improve secp256r1 efficiency. The current implementation is expensive, around ~380k steps to verify a signature. Starkware has implemented efficient secp256k1 verification (the ethereum curve) which costs ~300k gas. However, due to the different in primes the optimizaitons are incompatible. One direction worth exploration is leveraging the Montgomery method for modular multiplication If this sounds like an interesting challenge, weâd love your help. You can find more info here: feat: update to use hints by tarrencev ¡ Pull Request #1 ¡ cartridge-gg/cairo-secp256r1 ¡ GitHub
-
Support for other signature schemes, most notably RS256: Support RS256 credentials ¡ Issue #6 ¡ cartridge-gg/cairo-webauthn ¡ GitHub
-
There are various improvements we can make to the
cairo-webauthn
implementation, documented here: Issues ¡ cartridge-gg/cairo-webauthn ¡ GitHub. Any contributions would be greatly appreciated. -
The codebases need to be audited, weâre planning to facilitate this once the code stabilizes. Let us know if you are interested in contributing.
-
Client libraries to support generating the expected webauthn signature format. We have a Javascript + Python implementation weâll make available.
At Cartridge, weâre focused on bringing Starknet gaming to mainstream audiences and believe this technology will be critical in achieving that. If you are interested in collaborating, please let us know. Any contributions would be greatly appreciated!