Open TheMorpheus407 opened 1 year ago
Here are some of my thoughts:
I wonder if during registration a password will still be needed, or if it can be hidden. Guess some people want it only to be an additional option and still be able to put in a password? Because incase they lose the device, they still would be able to login. I also guess that maybe you should be able to add more than one security key. Incase can't login anymore ... should they be able to put in a new key in the "lost my password"-process?
You probably should also be able to add (or change) the security keys after the registration ...
Yes. We should make Password one factor, that is optional, but available. I'd honestly prefer not to just rely on the security key. So it would be login via mail/username and at least one of [password, app,-2fa webauthn] Correct?
@TheMorpheus407 yes, this sounds ok to me.
PS: Somehow I dislike how windows manages it (the internal dialog that opens if you want to use a security key):
It looks like windows always asks first if you want to use "windows hello" for password storage. Currently there do not seem to be a way around. Atleast I didn't find one yet, maybe it depends on a windows setting? Even the "yubico" demo page shows that dialog https://demo.yubico.com/webauthn-technical/registration Kinda counter-intuitive that you need to press cancel ("Abbrechen") first when the dialog opens.
Yeah, Windows hello is default for windows, but it should still work without, if you use your key.. shouldn't matter too much for the implementation though, I think, and it would make the process more secure for people without no key as well
After experimenting a little bit with a library("simplewebauthn") and making a prototype in my own fork of the frontend I noticed some problems that might happen.
Current problems are:
I made mockup at https://docs.google.com/drawings/d/1HbNCyyRMAe2fU-L64TmwoA_Xj5EFzFyv64sYRuwDbis/edit?usp=sharing
Registration-page on my test looks like this:
Currently no clue about a meaningful label-text. Maybe a key-icon would not waste so much space, but I'm not shure if everybody would understand that. Also not shure about label-text on login page ...
Hi, i would be happy to implement that.
@scolastico Guess there won't be any code changes anytime soon on my side. I sadly just don't have the time for now. Feel free for getting some inspiration from my forks (https://github.com/TheCrazyT/Bootstrap-Academy-auth-ms , https://github.com/TheCrazyT/Bootstrap-Academy-frontend) (but keep in mind that there are some critical TODO's in wauthn.py )
Since I have some time this weekend, I would do it all. I have worked with webauthn before, not in python, but I am not unfamiliar with python. If you assign the ticket to me I will start working on it.
Wonder who can assign this ticket to you, probably @TheMorpheus407 or @Defelo ?
Small update on the status of things:
Bootstrap Academy username
Morpheus
Description
Feature Name: Passwordless Authentication via WebAuthn
Problem Description:
As part of our ongoing efforts to enhance security and user experience, we aim to provide passwordless authentication. The goal is to allow users to register devices (e.g., security keys, biometrics) and then use these for authentication without relying on passwords. This will be done using the webauthn standard, that also supports passkeys. More info on passkeys
Component 1: WebAuthn Registration Service
Component Description:
This service will oversee the registration of new devices for users. It will guide users through the process of adding a new biometric identity or security key and store the necessary credentials safely.
Functional Requirements:
[ ] Device Registration: Enable users to register new devices, be it biometric data (like fingerprints or facial recognition) or physical security keys.
[ ] Credential Storage: Once a device is registered, securely store the WebAuthn credentials associated with the user's account.
[ ] User Feedback: Provide users with feedback during the registration process, such as success messages or prompts for additional actions.
Non-Functional Requirements:
[ ] Security: Given the sensitivity of biometric data and security keys, ensure that all data is encrypted and stored securely. Adhere to best practices for WebAuthn implementations.
[ ] Performance: The registration process should be swift and responsive, minimizing waiting times for users.
[ ] User Experience: Ensure a straightforward and intuitive registration process, with clear instructions and feedback.
Acceptance Criteria:
[ ] Users can initiate and successfully complete the device registration process.
[ ] All WebAuthn credentials are securely stored in association with the user's account.
[ ] Users receive clear feedback during and after the registration process.
Component 2: WebAuthn Authentication Service
Component Description:
This service is responsible for managing the authentication process using the WebAuthn protocol. It verifies users based on the devices or biometrics they've previously registered and grants access based on successful verification.
Functional Requirements:
[ ] Authentication Request: When a user attempts to log in, initiate a WebAuthn authentication request, prompting the user to use their registered device or biometric.
[ ] Credential Verification: After receiving the authentication response, verify the WebAuthn credentials against the stored data to authenticate the user.
[ ] Session Management: On successful authentication, generate and manage user sessions to maintain their authenticated state.
Non-Functional Requirements:
[ ] Security: Adhere to best practices for WebAuthn implementations. Ensure that the authentication process is secure and resistant to common threats like replay attacks.
[ ] Performance: The authentication process should be efficient, ensuring that users can log in quickly.
[ ] User Experience: The authentication flow should be intuitive, with clear prompts guiding users through the process.
Acceptance Criteria:
[ ] Users can initiate the WebAuthn authentication process and are prompted to use their registered device or biometric.
[ ] The system can accurately verify WebAuthn credentials and authenticate users.
[ ] On successful authentication, users are granted access and their session is managed appropriately.
Notes: