Design with passkeys in mind

[tcannonfodder]

Hey there 👋 !

Thomas from the Ruby passkeys organization!. We're actively trying to make passkeys the default authentication standard for Ruby; and this rewrite is extremely promising! I've never been a fan of Devise because it's so heavy, so the lightweight approach that Sorcery takes is a huge breath of fresh air.

It would be amazing if the gem had first-class support for passkeys (and maybe even defaulted to passkeys out of the gate!). It would be a huge boon for Greenfield apps that need to implement authentication, and don't want to be stuck with Devise again.

We're around to help out with any questions or guidance! There are also some gems that might be good to look at for reference:

• https://github.com/ruby-passkeys/devise-passkeys-template
• https://github.com/ruby-passkeys/devise-passkeys
• https://github.com/ruby-passkeys/warden-webauthn

[joshbuker]

Heya @tcannonfodder!

I would be more than happy to help get passkeys setup as a plugin for Sorcery. One of the main purposes for the rewrite was to support these kinds of additions, and I'm excited to see Ruby get a lightweight way to implement passwordless authentication.

That said, I struggle setting aside time to work on Sorcery as it is, so this would have to be implemented by the community. I can definitely set aside some time to answer any questions however, and very much welcome the assistance!

[tcannonfodder]

Awesome, and totally understand! Hoping to work on some of the code for this eventually 💪

One of the biggest ways to help out at the library level would be to keep the idea of password-based authentication loosely coupled from the rest of authentication. Since passkeys replace passwords, being able to quickly & confidently either:

• Start with passkeys
• Migrate over to passkeys

Would be a huge help. In our work on devise-passkeys, the extremely tight coupling of passwords as the primary form of authentication makes it a maintenance nightmare.

Maybe the architecture could be tweaked to:

• sorcery-base: All the sorcery functionality except the authentication & recovery internals
• sorcery-passwords: New plugin to support logging in with a password and resetting your password
• sorcery-passkeys: New plugin to support passkey authentication & emergency passkey registration (a recovery method where you register a new passkey for your account, acting on the assumption that all other passkeys have been lost)
• sorcery-passkey-migration: Plugin that helps migrate existing password authentication over to passkeys, with methods like require_passkey_migration? that can be overridden