This is a proof-of-concept implementation of passwordless authentication at the network's edge, using Passkeys & WebAuthn.
It's built in Rust, for Fastly's Compute.
It uses KV Store, Fastly's CRDT-based edge state system to store both user data and short-lived authentication challenges (no cookies!).
Passkeys are a new type of login credential that allows you to log in to sites and services without having to enter a password – think biometric locks.
Passkeys are a compelling WebAuthn-based alternative to the ubiquitous “password + 2nd-factor” authentication. Unlike low assurance 2nd factors like SMS, they're resistant to push-phishing, unique across every website, and are generated using cryptographically secure hardware.
Additionally, passkeys generated by the 3 main platform authenticator vendors (Apple, Google, and Microsoft) are automatically synced across a user's devices, by their cloud account.
Look at the far right side of this diagram:
Imagine building a high scale, globally distributed FIDO2 authentication solution — without having to manage the underlying infrastructure. The code is executed at the network's edge, close to your users.
If you haven't got a Fastly account, get one for free, and head on over to developer.fastly.com for instructions on getting started with Compute.
You'll need to install the Fastly CLI and Rust language tooling.
First, rebuild openssl-wasm with bn_ops set to THIRTY_TWO_BIT (or build OpenSSL for the wasm32-wasi target with another tool of your choosing).
Next, set the OPENSSL_DIR env variable to point to your precompiled library root, and OPENSSL_STATIC to 1, to statically link OpenSSL.
export OPENSSL_STATIC=1
export OPENSSL_DIR=$(pwd)/openssl-wasm/precompiled/Run fastly compute serve to spin up a local development server and see the demo in action, or fastly compute serve --watch if you want to hot-reload any changes to the code.
Open http://localhost:7676/ in your browser, rather than http://127.0.0.1:7676 – 127.0.0.1 is not a valid RP domain.