ASP.NET Core 8.0 - Users Without Passwords Project

v4.0.6

V4 Coming Soon!

The World Wide Web Consortium (W3C) is working on the next API specification for accessing Public Key Credentials. The W3C Working Draft, dated 27 January 2025 is published at Web Authentication: An API for accessing Public Key Credentials Level 3 . The latest Editors Draft is published at Editor’s Draft, 11 July 2025 .

I am updating the UWPP V4 to support these new requirements. The Attestation (registration) and Assertion (authentication) processes have been updated and commented to meet the new specification. New properties are added to the Passkey (credential) and the PasskeyChallenge (audit) records. I updated the Passkey and PasskeyChallenge UI. I added Ed25519 algorithm and Discoverable Credential support. I am working to update the Users Without Passwords Project, Users With Device 2FAProject, and Users With Comments Project to version 4.

Probably the most exciting specification is support for cross-origin authentication. I am testing the UWPP V4 at Fido.KenHaggerty.Com. Fido.KenHaggerty.Com is a modified version of the UWPP with security settings and UI to host cross-origin authentication. The published versions of Users Without Passwords Project, Users With Device 2FA Project, Users Without Identity Project, Users With Comments Project have been modified to authenicate with a pre-registered Fido.KenHaggerty.Com user.

Help Test Cross-Origin Authentication

  • Register a user on Fido.KenHaggerty.Com.
  • Use the Login Central Portal on a supported site to login with a Fido.KenHaggerty.Com user.
  • The first login requires a local account association, choose new local account or link to an existing local account.

From the beginning of online accounts, we had passwords. Then we got “I forgot my password”. Password recovery processes were developed to reduce support fatigue. The most popular recovery mechanism is a link with a password reset token sent to the user by email. Then we got “I didn’t get the email”. To help mitigate email delivery issues, the online account registration process required a confirmed email address before access is granted. This discourages users from registering because they fear their email address will be sold, stolen, shared, or abused by email spammers. If passwords are removed, the email address can become optional.

The Users Without Passwords Project (UWPP) is the source code for UsersWithoutPasswords. Com. The UWPP is developed with Visual Studio 2022 and the MS Long Term Support (LTS) version .NET 8.0 framework. All Errors, Warnings, and Messages from Code Analysis have been mitigated. The UWPP implements WebAuthn, also known as FIDO2, instead of passwords. Windows Hello implements authentication with an IR webcam for facial recognition, a fingerprint scanner, or just by setting up and using a PIN. See Learn about Windows Hello and set it up.

The UWPP was initially developed back in 2021 with framework .NET 5.0 based on the W3C Recommendation, 8 April 2021, Web Authentication: An API for accessing Public Key Credentials Level 2. Version 2.x of the project was upgraded to .NET 6.0, integrated the ASP.NET Core 6.0 - Homegrown Analytics Project, and implements multiple email addresses per user. I enabled the nullable context and mitigated all warnings and issues. Version 3.x of the project was upgraded to .NET 8.0. Version 4.x of the project is upgraded to support the W3C Working Draft, 27 January 2025, Web Authentication: An API for accessing Public Key Credentials Level 3.

The latest version of the UWPP is published at UsersWithoutPasswords. Com. The project supports multiple FIDO2 authenticators. Users can self-manage authenticators in Manage Account. Admins can list users, authenticators, and histories.