phishing resistant mfa #401
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for gracious-clarke-e6b312 ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
msaldivar
changed the title
jscyo
requested changes
Apr 22, 2025
| author: "Maurice Saldivar" | ||
| --- | ||
|
|
||
| # Implementing Phishing-Resistant MFA: Hands-On Developer Guide |
There was a problem hiding this comment.
Ah this can be removed. Gatsby will automatically add a title tag
|
|
||
| ## Why Traditional MFA Fails | ||
|
|
||
| ### SIM Swapping: When Your Phone Number Betrays You |
There was a problem hiding this comment.
we should also have an internal link to our own sim swap blog https://supertokens.com/blog/sim-swapping
Comment on lines
+62
to
+72
| ### Why WebAuthn? | ||
|
|
||
| Phishing remains one of the most effective attack vectors against traditional authentication. WebAuthn counters this by binding authentication directly to the user's device through public-key cryptography. When users register with WebAuthn, their device generates a unique key pair for that service. The private key never leaves the device, while the public key is stored on the server. During authentication, the server sends a challenge only the correct private key can sign. | ||
|
|
||
| The critical phishing protection comes from origin binding \- the browser ensures authentication requests can only come from the exact domain that registered the credential. Even perfect site clones at different URLs will fail because the origins don't match. For developers, this means implementing authentication that protects users regardless of their susceptibility to phishing attempts. | ||
|
|
||
| ### How WebAuthn works | ||
|
|
||
| WebAuthn creates a secure authentication framework built on asymmetric cryptography. Instead of storing shared secrets like passwords on servers, it employs public-private key pairs. When users register their device generates these unique keys - the private key remains secured on the device while the public key is stored on the server.The absence of passwords eliminates common vulnerabilities like credential stuffing, password spraying, and database breaches. There's simply no password to steal, reuse, or crack, removing entire categories of attacks from consideration. | ||
|
|
||
| User verification happens locally on the device through either biometrics (fingerprints, facial recognition) or hardware security keys. This verification proves the legitimate user is present without transmitting biometric data to the server. The local device handles all sensitive verification, then cryptographically signs the authentication challenge using the private key only after successful verification. |
There was a problem hiding this comment.
This section should be moved a little higher.
| * Private keys never leave the user's device | ||
| * Biometric or physical presence verification ensures the legitimate user is present | ||
|
|
||
| In this guide, we'll implement a bulletproof phishing-resistant MFA system using SuperTokens, WebAuthn, and FIDO2 standards. This approach not only strengthens security but also improves user experience by reducing friction. |
There was a problem hiding this comment.
We should breakdown what WebAuthn and FIDO is in the next section before we move onto implementation
|
|
||
|
|
||
|
|
||
| <details><summary>Frontend config.tsx</summary> |
There was a problem hiding this comment.
We shouldnt put these detail blocks, I think it will be easy for people to miss
|
@msaldivar Please also add the metadata(it's mentioned in the contributing guide) and the cover image |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related Issue
Link to the Github Issue created for this blog post
Link to Google Doc
https://docs.google.com/document/d/1bedpCOIgRmP8XySesQ2vr_5E1nMv2Bj88YONuurc79Y/edit?tab=t.0
Checklist
Remaining TODOs