Bootstrap-Academy / Bootstrap-Academy

https://bootstrap.academy
Other
121 stars 2 forks source link

Feature Name: Passwordless Authentication via WebAuthn #68

Open TheMorpheus407 opened 1 year ago

TheMorpheus407 commented 1 year ago

Bootstrap Academy username

Morpheus

Description

Feature Name: Passwordless Authentication via WebAuthn

Problem Description:

As part of our ongoing efforts to enhance security and user experience, we aim to provide passwordless authentication. The goal is to allow users to register devices (e.g., security keys, biometrics) and then use these for authentication without relying on passwords. This will be done using the webauthn standard, that also supports passkeys. More info on passkeys

Component 1: WebAuthn Registration Service

Component Description:

This service will oversee the registration of new devices for users. It will guide users through the process of adding a new biometric identity or security key and store the necessary credentials safely.

Functional Requirements:

Non-Functional Requirements:

Acceptance Criteria:

Component 2: WebAuthn Authentication Service

Component Description:

This service is responsible for managing the authentication process using the WebAuthn protocol. It verifies users based on the devices or biometrics they've previously registered and grants access based on successful verification.

Functional Requirements:

Non-Functional Requirements:

Acceptance Criteria:

Notes:

TheCrazyT commented 1 year ago

Here are some of my thoughts:

I wonder if during registration a password will still be needed, or if it can be hidden. Guess some people want it only to be an additional option and still be able to put in a password? Because incase they lose the device, they still would be able to login. I also guess that maybe you should be able to add more than one security key. Incase can't login anymore ... should they be able to put in a new key in the "lost my password"-process?

You probably should also be able to add (or change) the security keys after the registration ...

TheMorpheus407 commented 1 year ago

Yes. We should make Password one factor, that is optional, but available. I'd honestly prefer not to just rely on the security key. So it would be login via mail/username and at least one of [password, app,-2fa webauthn] Correct?

TheCrazyT commented 1 year ago

@TheMorpheus407 yes, this sounds ok to me.

PS: Somehow I dislike how windows manages it (the internal dialog that opens if you want to use a security key):

It looks like windows always asks first if you want to use "windows hello" for password storage. Currently there do not seem to be a way around. Atleast I didn't find one yet, maybe it depends on a windows setting? Even the "yubico" demo page shows that dialog https://demo.yubico.com/webauthn-technical/registration security-key-dialog Kinda counter-intuitive that you need to press cancel ("Abbrechen") first when the dialog opens.

TheMorpheus407 commented 1 year ago

Yeah, Windows hello is default for windows, but it should still work without, if you use your key.. shouldn't matter too much for the implementation though, I think, and it would make the process more secure for people without no key as well

TheCrazyT commented 1 year ago

After experimenting a little bit with a library("simplewebauthn") and making a prototype in my own fork of the frontend I noticed some problems that might happen.

Current problems are:

I made mockup at https://docs.google.com/drawings/d/1HbNCyyRMAe2fU-L64TmwoA_Xj5EFzFyv64sYRuwDbis/edit?usp=sharing

Registration-page on my test looks like this: 1

Currently no clue about a meaningful label-text. Maybe a key-icon would not waste so much space, but I'm not shure if everybody would understand that. Also not shure about label-text on login page ...

scolastico commented 1 month ago

Hi, i would be happy to implement that.

TheCrazyT commented 1 month ago

@scolastico Guess there won't be any code changes anytime soon on my side. I sadly just don't have the time for now. Feel free for getting some inspiration from my forks (https://github.com/TheCrazyT/Bootstrap-Academy-auth-ms , https://github.com/TheCrazyT/Bootstrap-Academy-frontend) (but keep in mind that there are some critical TODO's in wauthn.py )

scolastico commented 1 month ago

Since I have some time this weekend, I would do it all. I have worked with webauthn before, not in python, but I am not unfamiliar with python. If you assign the ticket to me I will start working on it.

TheCrazyT commented 1 month ago

Wonder who can assign this ticket to you, probably @TheMorpheus407 or @Defelo ?

scolastico commented 2 weeks ago

Small update on the status of things: