[feat] Support for FIDO2/WebAuthN? #608
Labels
No labels
approved, awaiting change
bug
configuration
documentation
duplicate
enhancement
extremely low priority
feature request
Fix it yourself
help wanted
invalid
mastodon_api
needs docs
needs tests
not a bug
planned
pleroma_api
privacy
question
static_fe
triage
wontfix
No milestone
No project
No assignees
4 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: AkkomaGang/akkoma#608
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The idea
I'm just asking here what about support for FIDO2/WebAuthN?
No one at Pleroma seems to have responded to the requests regarding this yet.
The reasoning
No response
Have you searched for this feature request?
main issue would be with testing, given that most devices that use those standards cost quite a bit of money
I can experiment with android stuff to see how it behaves, but honestly I've almost zero visibility of how it works , so couldn't even offer an estimate as to how much effort it'd be
How should I imagine that they cost a lot of money?
Own 2 pieces of one of them is just the Yubikey where mine has cost about 60€.
There are also which cost so about half less.
Nitrokey Fido2 so called example.
that is quite a lot of money for a test for a feature that may or may not even happen
Chrome for example has a WebAuthn emulator included
https://developer.chrome.com/docs/devtools/webauthn/
also there are some significantly cheaper options than Yubu or even Nitrokey, like Token2 offers FIDO2 keys for as low as 13,50€
https://www.token2.eu/shop/product/token2-t2f2-fido2-and-u2f-security-key
and obviously most android and iphones by now also support WebAuthn, as well as Windows 10 (1903 and later)/11 and macos.
There are even libraries you can
stealget inspiration from likehttps://github.com/tanguilp/wax
Expecting someone to also acquire special hardware on their own cost to implement a feature request, in addition to already spending their free time on creating the implementation itself, really isn’t reasonable.
For the record and in case there is interest though, there are several software implementation besides the already mentioned Android stuff and Google Chrome feature (I don't see the “WebAuthn” tool in Chromium, either I missed something or it is Google Chrome specific?).
E.g. rust-u2f appears to creates a virtual U2F device on Linux, which allows interacting with any WebAuthn-supporting software as if it a were a real hardware token. (caveat: doesn't seem like it supports passwordless authentication, only U2F)
the Software WebAuthn thing is kinda hidden, even in chrome, but I think I also saw it in brave on another system.
Screenshot from Chrome.
yeah sure I wouldnt expect ppl to buy stuff but I just mentioned another option because the things @DiamantTh mentioned are still kinda expensive in my opinion.
there are other things that are practically free (as usually someone has that anyway) like windows itself offering it, and ios. like from the 3 platform methods (android ios and Windows) I would think one or 2 is within the grasp of many.