[feat] Support for FIDO2/WebAuthN? #608

New Issue

Open

opened 2023-07-31 18:45:16 +00:00 by DiamantTh · 6 comments

DiamantTh commented

2023-07-31 18:45:16 +00:00

The idea

I'm just asking here what about support for FIDO2/WebAuthN?

No one at Pleroma seems to have responded to the requests regarding this yet.

The reasoning

No response

Have you searched for this feature request?

I have double-checked and have not found this feature request mentioned anywhere.
This feature is related to the Akkoma backend specifically, and not pleroma-fe.

### The idea I'm just asking here what about support for FIDO2/WebAuthN? No one at Pleroma seems to have responded to the requests regarding this yet. ### The reasoning _No response_ ### Have you searched for this feature request? - [ ] I have double-checked and have not found this feature request mentioned anywhere. - [ ] This feature is related to the Akkoma backend specifically, and not pleroma-fe.

👍 1

DiamantTh added the

feature request

label 2023-07-31 18:45:16 +00:00

floatingghost commented

2023-07-31 22:29:38 +00:00

Owner

main issue would be with testing, given that most devices that use those standards cost quite a bit of money

I can experiment with android stuff to see how it behaves, but honestly I've almost zero visibility of how it works , so couldn't even offer an estimate as to how much effort it'd be

main issue would be with testing, given that most devices that use those standards cost quite a bit of money I can experiment with android stuff to see how it behaves, but honestly I've almost zero visibility of how it works , so couldn't even offer an estimate as to how much effort it'd be

DiamantTh commented

2023-08-01 05:04:26 +00:00

Author

How should I imagine that they cost a lot of money?
Own 2 pieces of one of them is just the Yubikey where mine has cost about 60€.

There are also which cost so about half less.
Nitrokey Fido2 so called example.

How should I imagine that they cost a lot of money? Own 2 pieces of one of them is just the Yubikey where mine has cost about 60€. There are also which cost so about half less. Nitrokey Fido2 so called example.

floatingghost commented

2023-08-01 09:26:52 +00:00

Owner

that is quite a lot of money for a test for a feature that may or may not even happen

that _is_ quite a lot of money for a test for a feature that may or may not even happen

My1 commented

2023-08-01 12:24:18 +00:00

Chrome for example has a WebAuthn emulator included
https://developer.chrome.com/docs/devtools/webauthn/

also there are some significantly cheaper options than Yubu or even Nitrokey, like Token2 offers FIDO2 keys for as low as 13,50€

https://www.token2.eu/shop/product/token2-t2f2-fido2-and-u2f-security-key

and obviously most android and iphones by now also support WebAuthn, as well as Windows 10 (1903 and later)/11 and macos.

There are even libraries you can ~~steal~~ get inspiration from like
https://github.com/tanguilp/wax

Chrome for example has a WebAuthn emulator included https://developer.chrome.com/docs/devtools/webauthn/ also there are some significantly cheaper options than Yubu or even Nitrokey, like Token2 offers FIDO2 keys for as low as 13,50€ https://www.token2.eu/shop/product/token2-t2f2-fido2-and-u2f-security-key and obviously most android and iphones by now also support WebAuthn, as well as Windows 10 (1903 and later)/11 and macos. There are even libraries you can ~~steal~~ get inspiration from like https://github.com/tanguilp/wax

Oneric commented

2023-08-01 19:00:32 +00:00

Member

For the record and in case there is interest though, there are several software implementation besides the already mentioned Android stuff and Google Chrome feature (I don't see the “WebAuthn” tool in Chromium, either I missed something or it is Google Chrome specific?).
E.g. rust-u2f appears to creates a virtual U2F device on Linux, which allows interacting with any WebAuthn-supporting software as if it a were a real hardware token. (caveat: doesn't seem like it supports passwordless authentication, only U2F)

Expecting someone to also acquire special hardware on their own cost to implement a feature request, in addition to already spending their free time on creating the implementation itself, really isn’t reasonable. For the record and in case there is interest though, there are [several software implementation](https://github.com/herrjemand/awesome-webauthn#software-authenticators) besides the already mentioned Android stuff and Google Chrome feature *(I don't see the “WebAuthn” tool in Chromium, either I missed something or it is Google Chrome specific?)*. E.g. [rust-u2f](https://github.com/danstiner/rust-u2f) appears to creates a virtual U2F device on Linux, which allows interacting with *any* WebAuthn-supporting software as if it a were a real hardware token. *(caveat: doesn't seem like it supports passwordless authentication, only U2F)*

My1 commented

2023-08-01 19:37:41 +00:00

the Software WebAuthn thing is kinda hidden, even in chrome, but I think I also saw it in brave on another system.

Screenshot from Chrome.

yeah sure I wouldnt expect ppl to buy stuff but I just mentioned another option because the things @DiamantTh mentioned are still kinda expensive in my opinion.

there are other things that are practically free (as usually someone has that anyway) like windows itself offering it, and ios. like from the 3 platform methods (android ios and Windows) I would think one or 2 is within the grasp of many.

the Software WebAuthn thing is kinda hidden, even in chrome, but I think I also saw it in brave on another system. ![image](/attachments/a9517221-5d32-4d53-b035-b57aaa387fa9) Screenshot from Chrome. yeah sure I wouldnt expect ppl to buy stuff but I just mentioned another option because the things @DiamantTh mentioned are still kinda expensive in my opinion. there are other things that are practically free (as usually someone has that anyway) like windows itself offering it, and ios. like from the 3 platform methods (android ios and Windows) I would think one or 2 is within the grasp of many.

image.png

36 KiB