Being an intern is easily the best way for students to gain experience in software engineering. What is perhaps not so obvious, is that many of these experiences can be incredibly frustrating while going through them. Especially if you have nobody to blame but yourself.
During my summer internship, I was tasked with making a number of improvements to our web application to make it more mobile-friendly. One of these improvements was to allow for a passwordless login so our users could log in faster. This is a simple task for native apps, but can become a bit more involved for Progressive Web Apps. The main tool for this feature is a frontend API called WebAuthn. For the uninitiated, WebAuthn allows a PWA to take biometric data (like a fingerprint or face scan) and turn it into a unique key. This key can then be used instead of a password.
WebAuthn requires that your app performs many security checks in the backend to prevent malicious behavior. This is an easy task if your backend is in Javascript. The company with which I interned used .NET framework, and it was impossible to find a library to perform the required security checks. Correction: It was impossible for me to find a library. What was a poor intern to do? I bravely decided that I, a CS student with only 4 weeks of professional experience, would write a library in C# to perform all the proper security checks required for WebAuthn to function.
Did I say bravely?
I meant stupidly.
I spent about a week and a half trying to figure out the ins and outs of encryption, hashes, credentials, and other security mumbo jumbo that I understood like a toddler understands time dilation. I dutifully followed The Documentation™. I did everything I could to duct tape together a backend that would properly communicate with WebAuthn. I just couldn’t get it to work. Things were moving at a snail’s pace. Between working with against legacy code, a relatively new language, and an overwhelming sense of imposter syndrome, I realized that I just couldn’t do it.
Frustrated, I started searching for alternatives, hoping against hope that my Google-fu had simply failed me the first day I looked for a library. Well it turns out it had. After simply searching “webauthn net library”, I found my answer. Literally the first result. I felt a solid 50/50 mix of rage and relief. After congratulating myself on properly typing 3 words into a search engine, I got to work. All I had to do was download a package, and all the backend work sat at my fingertips, waiting to be implemented. It was still work to get everything set up properly — I had little experience with typed languages and encoding at the time. But it took a fraction of the time that it would have taken for me to implement everything on my own. And boy was I ecstatic when I first saw the final credential properly formatted and printed out on my console window.
There are many things I can learn from this mistake. “Measure twice, cut once” is good for carpentry; the software equivalent could be “Google twice, code once”. That’s the first takeaway. Second, if you’re looking for a library for the most used web authentication platforms, then it probably exists. Lastly, it’s okay to throw away code that you have put hours of time and effort into if it just isn’t working (as long as you find a better option). I am very thankful that I was able to struggle so that I could learn for the future.
But if I ever see the words WebAuthn and .NET put together again, I might just scream.
