Open rugk opened 5 years ago
The authenticator-rs work can be re-used in the portal implementation itself.
Just a quick note: While not a Mozilla-employee (and thus not able to steer the crate in whatever direction I want), I'm responsible for a large part of that code (CTAP2/2.1). If you need special work done, to integrate auth-rs into the portal, feel free to ping me (or open a bugreport over at auth-rs). I'll see, if I can help.
FYI, for anyone following this issue, I haven't forgotten about it, I just have a lot less time than I thought, and estimating is hard :).
I've done some more research and I think I've landed on having the public API basically look like Google's Credential Manager Jetpack API. I think it's simple and pretty well designed.
I'm trying to figure out what the API for the backends will need to be; I'm working on a prototype to start working out the kinks. It's not high quality at all, but the repo is public if anyone wants to follow along. The sequence diagrams would be of most interest right now: https://github.com/iinuwa/linux-webauthn-platform-api/blob/main/doc/scenarios.md.
@iinuwa I think your repo is private.
@iinuwa I think your repo is private.
@TingPing Fixed, thanks.
See also this blog post by Alfio, which lays out a higher-level design
IMHO what is missing as a todo item for the sandbox, is FIDO U2F/WebAuthn abstraction for USB devices.
Problem
User story: I, as a user of a flatpak'ed browser, want to be able to login with my cool U2F/WebAuthn keys, because they are very convenient & secure & with increased adoption I may also be able to use a passwordless authentication.
So one could do so when you enable the
--device=all
permission, but obviously (for isolation/sandboxing reasons, i.e. security reasons) one does not want to expose all USB devices to a browser application.WebAuthn spec has recently been finalized: https://www.w3.org/TR/webauthn/
Support for U2F/WebAuthn is available in major browsers like Firefox and Chrome/ium.
Proposed solution
Another special abstraction (and permission) for U2F/WebAuthn access.
Actually, the security and isolation-focused distro Qubes OS does already have developed a model, abstraction and even software that can be used in their distro to abstract that: https://www.qubes-os.org/doc/u2f-proxy/ source code: https://github.com/QubesOS/qubes-app-u2f
The doc is really worth a read!
So maybe some kind of new portal? Or new permission?
Also discussed at
Other useful links
https://en.wikipedia.org/wiki/Universal_2nd_Factor https://en.wikipedia.org/wiki/WebAuthn
(sponsored sites, but visibly nice) https://webauthn.guide/ https://webauthn.io/