JohnnyJayJay
commented
1 year ago If this is up for grabs, I would give implementing this a shot next month 😄
Open dharrigan opened 3 years ago
JohnnyJayJay
commented
1 year ago If this is up for grabs, I would give implementing this a shot next month 😄
tobias
commented
1 year ago @JohnnyJayJay That would be great! I don't know anything about WebAuthn (other than what @dharrigan taught me above :)), but would be happy to provide any guidance needed relating to the Clojars codebase.
JohnnyJayJay
commented
1 year ago That would be much obliged. I joined the clojars Channel on the Clojurians Slack, I'll give you a heads up there when I need assistance. At first glance, it seems like there are a lot of components that need to be adjusted to implement this.
WebAuthn, as defined here
https://en.wikipedia.org/wiki/WebAuthnis a web standard used to secure authentication to web sites and services. It has been an W3C official standard since 2019. A very common example is the use of so-called security keys such as Yubico Yubikey, Google's Titan Security Key, and various other open source implementation such as Solo and so on.WebAuthn is supported by all modern browsers, such as Firefox, Chromium, Safari, Brave and so on.
Presently, Clojars Web supports the use of 2FA via TOTP tokens - which is most excellent - for authentication to the "admin" area of each user's profile.
It would be very good if, in addition to TOTP, the user had the ability to register a FIDO/FIDO2 compatible key against their profile, thus allowing users to authenticate via the security key instead of the TOTP token (the user can choose which one to authenticate by on login).
Since WebAuthn is "built-in" to modern browsers, the APIs are already there to implement it.
More research would be required to determine how precisely it would fit into Clojars Web and how to properly obtain authentication against existing and new users.