Feature Name: Passwordless Authentication via WebAuthn

[TheMorpheus407]

Bootstrap Academy username

Morpheus

Description

Feature Name: Passwordless Authentication via WebAuthn

Problem Description:

As part of our ongoing efforts to enhance security and user experience, we aim to provide passwordless authentication. The goal is to allow users to register devices (e.g., security keys, biometrics) and then use these for authentication without relying on passwords. This will be done using the webauthn standard, that also supports passkeys. More info on passkeys

Component 1: WebAuthn Registration Service

Component Description:

This service will oversee the registration of new devices for users. It will guide users through the process of adding a new biometric identity or security key and store the necessary credentials safely.

Functional Requirements:

• [ ] Device Registration: Enable users to register new devices, be it biometric data (like fingerprints or facial recognition) or physical security keys.

• [ ] Credential Storage: Once a device is registered, securely store the WebAuthn credentials associated with the user's account.

• [ ] User Feedback: Provide users with feedback during the registration process, such as success messages or prompts for additional actions.

Non-Functional Requirements:

• [ ] Security: Given the sensitivity of biometric data and security keys, ensure that all data is encrypted and stored securely. Adhere to best practices for WebAuthn implementations.

• [ ] Performance: The registration process should be swift and responsive, minimizing waiting times for users.

• [ ] User Experience: Ensure a straightforward and intuitive registration process, with clear instructions and feedback.

Acceptance Criteria:

• [ ] Users can initiate and successfully complete the device registration process.

• [ ] All WebAuthn credentials are securely stored in association with the user's account.

• [ ] Users receive clear feedback during and after the registration process.

Component 2: WebAuthn Authentication Service

Component Description:

This service is responsible for managing the authentication process using the WebAuthn protocol. It verifies users based on the devices or biometrics they've previously registered and grants access based on successful verification.

Functional Requirements:

• [ ] Authentication Request: When a user attempts to log in, initiate a WebAuthn authentication request, prompting the user to use their registered device or biometric.

• [ ] Credential Verification: After receiving the authentication response, verify the WebAuthn credentials against the stored data to authenticate the user.

• [ ] Session Management: On successful authentication, generate and manage user sessions to maintain their authenticated state.

Non-Functional Requirements:

• [ ] Security: Adhere to best practices for WebAuthn implementations. Ensure that the authentication process is secure and resistant to common threats like replay attacks.

• [ ] Performance: The authentication process should be efficient, ensuring that users can log in quickly.

• [ ] User Experience: The authentication flow should be intuitive, with clear prompts guiding users through the process.

Acceptance Criteria:

• [ ] Users can initiate the WebAuthn authentication process and are prompted to use their registered device or biometric.

• [ ] The system can accurately verify WebAuthn credentials and authenticate users.

• [ ] On successful authentication, users are granted access and their session is managed appropriately.

Notes:

• UI/UX mockups need to be created post discussions and approvals on this issue.

[TheCrazyT]

Here are some of my thoughts:

I wonder if during registration a password will still be needed, or if it can be hidden. Guess some people want it only to be an additional option and still be able to put in a password? Because incase they lose the device, they still would be able to login. I also guess that maybe you should be able to add more than one security key. Incase can't login anymore ... should they be able to put in a new key in the "lost my password"-process?

You probably should also be able to add (or change) the security keys after the registration ...

[TheMorpheus407]

Yes. We should make Password one factor, that is optional, but available. I'd honestly prefer not to just rely on the security key. So it would be login via mail/username and at least one of [password, app,-2fa webauthn] Correct?

[TheCrazyT]

@TheMorpheus407 yes, this sounds ok to me.

PS: Somehow I dislike how windows manages it (the internal dialog that opens if you want to use a security key):

It looks like windows always asks first if you want to use "windows hello" for password storage. Currently there do not seem to be a way around. Atleast I didn't find one yet, maybe it depends on a windows setting? Even the "yubico" demo page shows that dialog https://demo.yubico.com/webauthn-technical/registration Kinda counter-intuitive that you need to press cancel ("Abbrechen") first when the dialog opens.

[TheMorpheus407]

Yeah, Windows hello is default for windows, but it should still work without, if you use your key.. shouldn't matter too much for the implementation though, I think, and it would make the process more secure for people without no key as well

[TheCrazyT]

After experimenting a little bit with a library("simplewebauthn") and making a prototype in my own fork of the frontend I noticed some problems that might happen.

Current problems are:

• the library itself seems to need user-information(id/nickname or email, but not both) or maybe I just not fully understood the example yet
  • on registration-page I can not use "id" since user does not exist yet, so I need to use nickname or email
  • normaly you don't need to put any username at all on passwordless login (atleast on the demo where I tested) ... so I either miss something, or the library is not usable for this
• the example of the used library uses cookies, currently i think there is no way around that (you need to store the "challenge" that was generated at the server, and since you are not loggin in during registration, you have no session)
  • this "challenge" needs to be stored on server (session) and not at the user
  • i needed to make some modifications on the fetch.js to make this one work
  • probably also needs some changes on the backend (CORS-Headers), since frontend and backend are 2 different servers
• Information about deleted keys must be stored on the server, since it does not seem to be possible to remove registered keys from within the browser
  • you also need to check against those "deleted" keys, to make shure they are handled as expired
• I always see 2 dialogs on windows (one with "windows hello" - after that the security-key setup, no matter if I continue or abort first window)
  • on another demo-page I somehow saw a better/different behaviour, without the "windows hello" dialog popping up
  • not shure if this is library related or I just need to set the right setting

I made mockup at https://docs.google.com/drawings/d/1HbNCyyRMAe2fU-L64TmwoA_Xj5EFzFyv64sYRuwDbis/edit?usp=sharing

Registration-page on my test looks like this:

Currently no clue about a meaningful label-text. Maybe a key-icon would not waste so much space, but I'm not shure if everybody would understand that. Also not shure about label-text on login page ...

[scolastico]

Hi, i would be happy to implement that.

[TheCrazyT]

@scolastico Guess there won't be any code changes anytime soon on my side. I sadly just don't have the time for now. Feel free for getting some inspiration from my forks (https://github.com/TheCrazyT/Bootstrap-Academy-auth-ms , https://github.com/TheCrazyT/Bootstrap-Academy-frontend) (but keep in mind that there are some critical TODO's in wauthn.py )

[scolastico]

Since I have some time this weekend, I would do it all. I have worked with webauthn before, not in python, but I am not unfamiliar with python. If you assign the ticket to me I will start working on it.

[TheCrazyT]

Wonder who can assign this ticket to you, probably @TheMorpheus407 or @Defelo ?

[scolastico]

Small update on the status of things:

• The ui part is mostly done, I'm currently checking the api.
• The last two weeks I was sick and had to take antibiotics, so no big update during this time.