Tweag and Mercury are happy to announce a server-side library for the the WebAuthn standard (part of the FIDO2 project), available as webauthn on Hackage! If you have a web server written in Haskell that allows users to create and log into accounts, this library might interest you, and we’d love to have feedback as we refine the interface of the library. The source of the library is available here, feel free to open issues, PRs or leave a comment here!
The WebAuthn standard allows users to easily and securely authenticate to websites with public key credentials, generated and stored on secure authenticators like Yubikeys, TouchID, TPM and more. This can either be used to secure accounts with second-factor authentication, or as a first factor, allowing users to log in without a password or even a username. See here for a WebAuthn guide and demo. Here’s another and another demo.
Originally forked from a hackathon project by Arian and taking inspiration from an alternative implementation by Fumiaki (also known as webauthn-0 on Hackage), this library has been developed by a team at Tweag, as contracted by Mercury, whose intention is to sponsor a good open-source library for the Haskell ecosystem, many thanks!
While the general design of the library isn’t expected to change very much, it should currently still be considered an alpha version, as Mercury and ideally others try out the library and give feedback. As such, if you have a website with user accounts running on Haskell, we’d love for you to try it out and tell us what could be improved! To get started, here are our recommendations:
- Read the introduction to the WebAuthn standard to get a sense of what the standard does
- Read the documentation of the main Crypto.WebAuthn module, which gives an overview of the library
- Check out and run the code of our demo server implementation, which shows an example of how the library might be used
- Use this chrome extension to simulate authenticators if you don’t have one yourself