Support hardware tokens (WebAuthn) #25
Comments
|
Hi @stephanvierkant, Actually I started to develop an extension to that lib to support Webauthn. By the way, it will allow hardware tokens (Yubico, Feitian…) as well as internal authenticator (Android, Apple Face/TouchId…). |
|
Great to hear! Keep us posted and let us know if you need some help. |
|
I have to say I have no experience at all with hardware token (no idea what FIDO2/U2F is), so I'm probably not the best person to implement this. Why not contribute back to |
|
Flagging this with "help wanted", if this should ever become part of the 2fa package and not being provided by a 3rd-party package. Someone with knowledge in that field, who knows how it's best implemented, what libraries to use, etc. would be needed to contribute it. As mentioned above, I'm feeling myself not experienced enough with that authentication method to implement it with confidence. |
I think its time I contributed back ;-) drop me a quick email at phil@phil-taylor.com and I'll reply back with my thoughts on a plan. |
|
I have been playing with the From my findings, the best solution would be to create a two factor provider implementation using this package (or at least, webauthn is way to complex to implement without third party package). So I would suggest to either create a two factor provider for |
|
Hi @wouterj,
|
|
Yes, no need to rush. Someone on twitter proposed this idea and I just wanted to quickly share my thoughts on this, in case someone wants to work on it but needs some directions :) |
|
I've also had a email exchange with @PhilETaylor recently, though haven't heard back from him. He mentioned that he has some implementations ready, that he could contribute. |
|
@wouterj what's the use case here? Use webauthn instead of TOTP (as in, no auth codes, use a Yubikey or fingerprint on mobile)? |
|
The use case is to provide another common two-factor authentication method as a ready-to-use package, besides the 3 that the bundle already supports (TOTP, Google Authenticator, Code-via-Email). |
|
In addition to the @scheb answer, Webauthn can be used as new auth factor, but offers more than that. When your users already registered (at least) one authenticator, they can directly be logged in without password (and without username under certain requirements). |
|
I spent considerable time on this, but got pulled away (as is life) sorry. Also with scheb not having experience with webauth I thought I would struggle to get something past the line. We already have scheb/2fa or webauth login at manage.mySites.guru but its not currently implemented as a It would be relatively easy to replicate the other providers, however the difference to the existing flow is that there is an initial ajax call needed after the user has provided their username (credential identifier) to get the current stored webauth data for that user, before the third party lib js can provide the challenge prompt in the browser. Currently you have LOGIN FORM COMPLETE -> SUBMIT -> ENTER 2FA CODE -> SUBMIT -> LOGGED IN With webauthn this would be: LOGIN FORM USERNAME, ajax call, prompt to "touch/activate" key, ajax call -> AUTO SUBMIT -> LOGGED IN I think, for the scheb/2fa implementation, the additional/advanced features of webauthn (like login without username) should be ignored (At least initially), and have the scheb/2fa implementation be just true to the name, "two factor auth". I think we should financially gift a hardware key to @scheb so that he can hold it in his hand, and start to understand it. Send me a amazon gift list or link :) As has been said before, no one should ever consider doing any of this without @Spomky `web-auth/* libs ;-) |
Fully agreed here, the protocol seems way too thick to inline it here or anywhere. Having a common implementation which gets used (in 2FA scenarios or directly) is the best approach for the entire ecosystem IMO. |
|
Joomla 4.0.0 Stable just released has webauthn now, and their approach (as is mine on my service) is to have two buttons on the login form one for using a password, and one for using webauthn (so no need to enter password), I still think this is confusing, but this is the major difference to the way all the other providers work (they all take you to a captive 2fa code entry page after providing username/password) Joomla 4 Login
My Login
|
|
Hi there, TL;DR: I must admit that @PhilETaylor is right: this requires too much modification and I prefer another approach. As said earlier, I started working on a fork of this project in order to add a new 2nd factor named The approach proposed by Joomla could seem to be confusing, but for me it is not.
For some professional projects I manage, we use Auth0 and the Universal Login is quite similar (source: https://cdn.auth0.com/manhattan/versions/1.3361.0/assets/auth-profiles/identifier-first-biometrics.svg): My conclusion is that adding a new 2nd factor will cause headaches while just adding the dedicated Webauthn is (relatively) simple. |
@wouterj, I received some authenticators from a manufacturer for the Stefen Richter participation at SF Paris 2020. I still have one or two if needed. |
|
From what I've learned so far, WebAuthn is much more capable than just providing another authentication code in a 2fa process. Though, I'd like to scope the discussion here around providing a second-factor authentication code within a multi-step authentication process. This second step would be completely independent from how user was initially authenticated (may it be username+passwort or something else). The goal would be to exeucte this second step via WebAuthn API, basically instead of typing an authentication code manually. If you'd want to do user identification and authentication through WebAuthn, then you're not doing 2-step-authentication, but you're doing single-step authentication. That's something Symfony Security can do out-of-the-box, you don't need Anyone who's looking for WebAuthn support as a second-factor authentication code within a multi-step authentication process, feel free to add to the discussion and contribute. But maybe
@Spomky If you need help with that, let me know. |
|
I think the gist of this issue is https://webauthn-doc.spomky-labs.com/the-webauthn-server/the-easy-way/user-authentication After the main authenticator authenticated the user, this bundle's authentication factor needs to do 3 things (mostly client side):
From this description, it seems like it should be possible (but maybe my description is much to simplistic) @Spomky if you have any questions regarding changes in the new security (or think things can be improved to better integrate web-authn), feel free to drop me a message on Slack. We want to have great support for modern security standards, and I strongly believe webauthn is one of those. |
|
Hi, I've just publish my preliminary work on supporting Webauthn. See PR #106. This is correct. From what I understand, the gathering of known public keys can be performed during the Step 4 is handled by I propose you to continue the discussion on the PR thread. BR. |
Many thanks. I have tons of questions! My main concerns are to maintain BC compatibility. I can see the 2FA bundle is acheiving that in a convenient way. I think I will start learning from it.
I am convinced of it too. For SF UX, you will find a working example I recently deployed on a project. <button
{{ stimulus_controller('webauthn', {
optionsUrl: '/login/options',
actionUrl: '/login/check',
successUrl: '/',
}) }}
data-action="webauthn#onLogin"
>
Log me in!
</button> |
|
Hello, Where is the project to implement webauthn as 2FA? |
|
I have written a basic 2fa provider using Spomkys Web-Authn Framework: https://github.com/jbtronics/2fa-webauthn It offers backwards compatibility with U2F keys registered via r/u2f-two-factor-bundle, so users can use their existing keys without re registering. |
I'm using hardware tokens from Yubico. It would be great if this library supports WebAuthn.
I've used r/u2f-two-factor-bundle before, but it doesn't support scheb/2fa and it lacks some quality this library has. And I've think it's better to support the newer WebAuthn API instead of FIDO2/U2F.
See https://caniuse.com/webauthn for browser support.
The text was updated successfully, but these errors were encountered: