search

desec-io / desec-stack

Backbone of the deSEC Free Secure DNS Hosting Service
https://desec.io/
MIT License
394 stars 50 forks source link

Extend 2FA with WebAuthn support #698

Open peterthomassen opened 1 year ago

peterthomassen commented 1 year ago

https://github.com/desec-io/desec-stack/issues/316#issuecomment-1221184243

peterthomassen commented 1 year ago

https://github.com/CZ-NIC/django-fido

peterthomassen commented 2 months ago

See https://github.com/Stormbase/django-otp-webauthn

fm commented 2 months ago

Would this extend to a completely passwordless login with passkeys as well?

peterthomassen commented 1 month ago

Would this extend to a completely passwordless login with passkeys as well?

In general, why not! But: https://github.com/desec-io/desec-stack/issues/316#issuecomment-1221184243 has a concern about this, namely the complexity of having to deal with attestation / PKI stuff. I'm not too familiar with that stuff (yet). If you know more, can you share what you think about this?

emilazy commented 1 month ago

I would generally say that the quality of the authenticators people use for their own accounts is more or less their own business and that there’s therefore no need to pull attestation into the mix just to implement WebAuthn fully. It’s no different from choosing to leave your API keys unprotected.

Attestation is usually used by e.g. corporate environments or banks or whatever that want to enforce strict policies around what’s used for authentication.