search

bartnv / twofactor_webauthn

Roundcube plugin for FIDO2/WebAuthn 2-factor authentication
GNU General Public License v3.0
29 stars 7 forks source link

Supporting WebAuthn as single factor auth #4

Open Technikte opened 3 years ago

Technikte commented 3 years ago

Is it possible to do a 1FA Auth with a security key, without using an password. My idea would as an example i an untrused env where keypresses could be logged/captured.

1FA: Authenticator, activation by tapping and then logging in. Replaces the password with a single factor, the ownership of the authenticator.

bartnv commented 3 years ago

I agree there are scenarios where that is useful. I don't think it would be difficult to add, but I think it should be a decision for the server admin whether to allow or not. So that would mean we need to add a config.inc.php to the plugin. I'll give it some though.

Mind you, you'll still need to enter your username, otherwise Roundcube doesn't know which account to check. Nextcloud has a similar setup, where you can either enter your password or activate your security key.

Technikte commented 3 years ago

Alright, thanks in advance for your time to think about this. Yes, I agree with you...since I use in my test env at the moment only my email adress + imap password, it would be pretty critical if somene gets the imap password. I still need to figure out how to use useraccounts not based not imap details and then username + key would be fine.

bartnv commented 3 years ago

It's a complicated thing because Roundcube needs the user's password to be able to login to the IMAP server. We'd have to store the password encrypted either in the Roundcube database or in a cookie. I use a persistent login plugin (https://github.com/mfreiholz/persistent_login) that does something similar, but unfortunately it's not part of Roundcube itself so we can't rely on it being available. I could make it a dependency but then again not every admin will want the "keep me logged in" functionality.

Technikte commented 3 years ago

Yeah, I noticed when I tried that the "new_user_dialog" plugin doenst create new user based on a username + password. So the first login should or would be always in a secure env with email adress + imap pasword and in that session the person could set up a security key for all logins after that. These would be then done without the needed password. This would work for me too, I kinda share the feeling..that I am not quite sure if I want to stay logged in.

bartnv commented 3 years ago

I'm marking this wontfix for now. If circumstances change, like Roundcube natively supporting persistent login, then I'm willing to re-evaluate this.