Yellow-Dog-Man / Resonite-Issues

Issue repository for Resonite.
https://resonite.com
141 stars 2 forks source link

Passkeys as a login method #845

Open jae1911 opened 11 months ago

jae1911 commented 11 months ago

Is your feature request related to a problem? Please describe.

Resonite only supports email + password (+ OTP 2FA if activated) for authentication. It would be nice to have an option to enable passwordless logins via passkeys like some websites/ecosystems have to option for (Google and Microsoft to cite the two biggest).

Describe the solution you'd like

Adding support for passkeys would be beneficial in the way that there would be no password needed to be remembered for enrolled users and, that passkeys are supported on most, if not all, popular platforms (Windows, MacOS, through hardware keys, through password managers such as Bitwarden), and so, extremely convenient. It would also improve security for enrolled users as having no passwords thwarts any phishing attemps.

Describe alternatives you've considered

Having FIDO as a 2FA option would be a great step, but in the current state of things, no alternatives are present.

Additional Context

Potential blocker & related issue: #663

Official passkey resources by the FIDO Alliance:

Frooxius commented 11 months ago

This just seems like a duplicate of: https://github.com/Yellow-Dog-Man/Resonite-Issues/issues/663

What would be different on this one?

jae1911 commented 11 months ago

I thought #663 was more generic for the larger FIDO implementation while this issue describes a more precise use of it.

shiftyscales commented 11 months ago

"Once the key is setup, the login dialog will let the user login by simply plugging in the key and initiating the login action (e.g. by tapping the key)." Is that not what you are describing, @jae1911?

shiftyscales commented 11 months ago

I'm also confused on what differentiates this issue from #663.

jae1911 commented 11 months ago

The login flow is different with passkeys.
As people can add passkeys to physical security keys, there is now also a way to have those on mobile phones (and computers, Windows Hello does that for instance).

In that case, a QR code is shown that the user will have to scan, do a challenge which will then allow login which requires more implementations than the regular FIDO2 flow. It also uses BLE (Bluetooth Low Energy) to make sure the user is nearby when scanning the code and authorizing the login to avoid attacks where an attack would stuff a QR code they control on a page and try to make the user scan it.

For instance, you can see:

My reasons for creating this issue is that:

shiftyscales commented 8 months ago

Given the additional context provided above- do you feel this is a sufficiently different issue from #663, @Frooxius?

Frooxius commented 8 months ago

I'm not sure at this point until we look into #663 deeper.