Why does this exist?
The products in this list do not support WebAuthn when used with an external identity provider. This lack of support means an organization cannot make WebAuthn a mandatory part of their authentication flow; a single incompatible app can prevent an entire oganization from moving forward. This is the typical deployment for these products in an Enterprise environment, and specifically impacts organizations’ use of these products. The products may actually have their own, specifically built, WebAuthn support; that is not what this list is about.
Unphishable authentication is here and available, but we can’t get its benefits because of how specific applications work.
What is WebAuthn?
Web Authentication (WebAuthn) is a means to authenticate users that is highly resistant to phishing and related attacks. When a system uses WebAuthn for authentication there is no known way for an adversary to trick the user into authenticating on behalf of them; a system using WebAuthn cannot be phished. It is the most user-friendly and flexible technology with this feature and is a direct descendant of U2F which was also created by the FIDO Allliance.
What is the problem?
Despite being published in 2016, support for WebAuthn is inconsistent at best. In particular, it is extremely difficult to configure an identity provider to require WebAuthn for user authentication. This is because native applications, such as those on iOS, Android, Windows, or MacOS have been built in ways that prevent use of WebAuthn for authentication. The problems in these applications is most often that they use a technology called a WebView for authentication. This was always a bad practice, as it means the application has direct access to users’ credentials and their session token with the identity provider in fundamental conflict with the intent of technologies such as OAuth, and makes it impossible to support WebAuthn. As a result, the identity system must support phishable authentication. An adversary will target the phishiable authentication that must be supported instead of the stronger WebAuthn, dramatically reducing the security benefit of adopting WebAuthn.
|Vendor||iOS App||Android App||Windows Client||Mac Client||Linux Client||Date Updated|
|Azure Virtual Desktop||X?||2022-11-08|
|Microsoft Remote Desktop client||✓||X?||2023-09-06|
|Microsoft Visual Studio||X?||2023-09-06|
|Pulse Secure VPN||X▣||X▣||X▣||2022-11-09|
|▣||WebView||This product appears to use a WebView in its application for this platform. A WebView is a low-feature web browser built into an operating system for use in applications. It lacks numerous features, including support for FIDO2. Their use in authentication has been known as a bad idea for many years, and Internet companies have begun actively preventing its use more recently.|
|?||Unclear||We're not sure what the product's application is doing, but FIDO2 authentication doesn't work with the application provided on this platform.|
I’m a vendor and this data is wrong!
Please feel free to submit a PR to this repository or submit an issue. We want this data to be accurate.
I know something that isn’t on this list!
Please feel free to submit a PR to this repository or submit an issue.
- This code enabling this project was forked from the work of robchahin on the SSO Wall of Shame. They are in no way endorsing the content published here.