WebAuthn/FIDO2

[n3oney]

• [x] Did you check to see if this issue already exists?
• [x] Is this only a single feature request? Do not put multiple feature requests in one issue.
• [ ] Is this a question or discussion? Don't use this, use https://lemmy.ml/c/lemmy_support.
• [ ] Is this a UI / front end issue? Use the lemmy-ui repo.

Describe the feature request below

While simple TOTP 2FA has already been implemented, I wish we could use security keys like the YubiKey for 2FA with WebAuthn. Maybe even going totally passwordless for ease of signing in and even better security?

[JoshuaACasey]

While simple TOTP 2FA has already been implemented

It does? Interesting. I don't see a 2fa option in the settings. (My account is on lemmy.world which appears to be running BE: 0.17.4)

[n3oney]

It does? Interesting. I don't see a 2fa option in the settings. (My account is on lemmy.world which appears to be running BE: 0.17.4)

Yes, but it's not in a release yet.

[fxttr]

I would also love to see WebAuthn/FIDO2. In my eyes many lemmy users are technical people, FIDO2 could be a plus here.

[cchance27]

Honestly this isn't a "technical people" thing anymore, with IOS (and maybe android) now having full passkey support, even google.com is now passkey... so it's a big win

[novoid]

Honestly this isn't a "technical people" thing anymore, with IOS (and maybe android) now having full passkey support, even google.com is now passkey... so it's a big win

I disagree. Since passkeys offers less privacy and security than standard FIDO2(1), there are good arguments for a FIDO2 support to secure my account.

(1) This could get really deep down the tech/spec but basically passkeys offers (optional) extraction of the secret key and upload to the public cloud whereas the secret key in a FIDO2 HW token is almost impossible to extract even with physical access to the token. From my personal point of view: passkeys is a dirty workaround for people who were not able to use FIDO2 and their standard use-cases (token management, backups, ...).

[ptman]

WebAuthn/FIDO2 are unphishable. Much superior to TOTP.

[novoid]

WebAuthn/FIDO2 are unphishable. Much superior to TOTP.

Yes.

And FIDO2 is much superior to passkeys and all of them (including email or text message PINs) are better than no 2FA at all.

There are use-cases for all of them. FIDO2, for example, doesn't require any expensive hardware token that 99% of people would not like to buy in any case. IMHO, TOTP is a good and privacy-respecting alternative to FIDO2. I'd prefer TOTP over passkeys because of good reasons, for example.