I find this interesting, what questions should people be asking when it comes to testing the passwordless web?
Interesting article! If I understand what it said and what it means, I believe there is no change in how a tester would approach evaluations of authentication in the browser. From a UI point of view, there is still a challenge (asking for a credential), and a response (the credential is provided). Access is granted or not.
The underlying technology (FIDO2, WebAuthn, or CTAP) would be incidental to the purpose of the test since they provide the authenticating mechanism. That is, the business behavior doesn’t change. If a web site adopts this technology, certainly the regression suite around authentication should be executed.
Having said that, I would rather plan my testing to execute in parallel with the implementation of the authenticating technology, and encourage more unit tests (tests closer to product construction). If the web site decides to support multiple forms of credential (password, biometric, etc.), some exploration might be warranted.
Lastly, the larger question is do users really want a single credential to access multiple web sites? Perhaps I’m old-fashioned that way in having some uniqueness in my credentials to limit the possibility of hacking more than one account.
Happy Turkey Day!
You are old fashioned, users hate passwords, and they reuse them anyway. Investing in one is far better, then users get the point of making an effort for making it more secure, making them more open to MFA.
I recomend watching Suby Raman talking about this at passwordscon18. https://www.youtube.com/watch?v=N2nNZqgmu0g
So testing Passwordless applications:
- Having some kind of feedback to that you are signed in is nice.
- Some kind of reference to help page ol similar to explain is nice.
- How do we sign out?
- What is the anchor of security? (how do we know that the users is who it says? Do we care?)
- Do the pages that suppose to require auth. actually require it?
- Is things that should be encrypted, actually encrypted?
- Can you force the app to communicate with lower/bad encryption/protocoll ?
Dev.tools in browers will let you see this. If it is not a browser application, wireshark or Blurp can be a useful tools for checking what is actually going on.