This is a proof-of-concept implementation of passwordless authentication at the network's edge, using Passkeys & WebAuthn.
It's built in Rust, for Fastly's Compute.
It uses KV Store, Fastly's CRDT-based edge state system to store both user data and short-lived authentication challenges (no cookies!).
Passkeys are a new type of login credential that allows you to log in to sites and services without having to enter a password – think biometric locks.
Passkeys are a compelling WebAuthn-based alternative to the ubiquitous “password + 2nd-factor” authentication. Unlike low assurance 2nd factors like SMS, they're resistant to push-phishing, unique across every website, and are generated using cryptographically secure hardware.
Additionally, passkeys generated by the 3 main platform authenticator vendors (Apple, Google, and Microsoft) are automatically synced across a user's devices, by their cloud account.
Look at the far right side of this diagram:
Imagine building a high scale, globally distributed FIDO2 authentication solution — without having to manage the underlying infrastructure. The code is executed at the network's edge, close to your users.
If you haven't got a Fastly account, get one for free, and head on over to developer.fastly.com for instructions on getting started with Compute.
You'll need to install the Fastly CLI and Rust language tooling.
First, rebuild openssl-wasm
with bn_ops
set to THIRTY_TWO_BIT
(or build OpenSSL for the wasm32-wasi
target with another tool of your choosing).
Next, set the OPENSSL_DIR
env variable to point to your precompiled library root, and OPENSSL_STATIC
to 1
, to statically link OpenSSL.
export OPENSSL_STATIC=1
export OPENSSL_DIR=$(pwd)/openssl-wasm/precompiled/
Run fastly compute serve
to spin up a local development server and see the demo in action, or fastly compute serve --watch
if you want to hot-reload any changes to the code.
Open http://localhost:7676/
in your browser, rather than http://127.0.0.1:7676
– 127.0.0.1
is not a valid RP domain.