Passkeys as a login method

jae1911 commented 7 months ago

Is your feature request related to a problem? Please describe.

Resonite only supports email + password (+ OTP 2FA if activated) for authentication. It would be nice to have an option to enable passwordless logins via passkeys like some websites/ecosystems have to option for (Google and Microsoft to cite the two biggest).

Describe the solution you'd like

Adding support for passkeys would be beneficial in the way that there would be no password needed to be remembered for enrolled users and, that passkeys are supported on most, if not all, popular platforms (Windows, MacOS, through hardware keys, through password managers such as Bitwarden), and so, extremely convenient. It would also improve security for enrolled users as having no passwords thwarts any phishing attemps.

Describe alternatives you've considered

Having FIDO as a 2FA option would be a great step, but in the current state of things, no alternatives are present.

Additional Context

Potential blocker & related issue: #663

Official passkey resources by the FIDO Alliance:

https://fidoalliance.org/passkeys/

Frooxius commented 7 months ago

This just seems like a duplicate of: https://github.com/Yellow-Dog-Man/Resonite-Issues/issues/663

What would be different on this one?

jae1911 commented 7 months ago

I thought #663 was more generic for the larger FIDO implementation while this issue describes a more precise use of it.

shiftyscales commented 7 months ago

"Once the key is setup, the login dialog will let the user login by simply plugging in the key and initiating the login action (e.g. by tapping the key)." Is that not what you are describing, @jae1911?

shiftyscales commented 7 months ago

I'm also confused on what differentiates this issue from #663.

jae1911 commented 7 months ago

The login flow is different with passkeys.
As people can add passkeys to physical security keys, there is now also a way to have those on mobile phones (and computers, Windows Hello does that for instance).

In that case, a QR code is shown that the user will have to scan, do a challenge which will then allow login which requires more implementations than the regular FIDO2 flow. It also uses BLE (Bluetooth Low Energy) to make sure the user is nearby when scanning the code and authorizing the login to avoid attacks where an attack would stuff a QR code they control on a page and try to make the user scan it.

For instance, you can see:

Use a passkey saved on your iPhone to sign in on another device (from Apple)
Use a passkey (from Microsoft)

My reasons for creating this issue is that:

The passkey flow is different from the FIDO2 one with only hardware keys
Hardware keys are great but it's more practical for most people to use what's built-in on their phones and computers and will still strengthen account security

shiftyscales commented 4 months ago

Given the additional context provided above- do you feel this is a sufficiently different issue from #663, @Frooxius?

Frooxius commented 4 months ago

I'm not sure at this point until we look into #663 deeper.

Yellow-Dog-Man / Resonite-Issues