FIDO U2F/WebAuthn abstraction/permission/portal/…

rugk commented 5 years ago

IMHO what is missing as a todo item for the sandbox, is FIDO U2F/WebAuthn abstraction for USB devices.

Problem

User story: I, as a user of a flatpak'ed browser, want to be able to login with my cool U2F/WebAuthn keys, because they are very convenient & secure & with increased adoption I may also be able to use a passwordless authentication.

So one could do so when you enable the --device=all permission, but obviously (for isolation/sandboxing reasons, i.e. security reasons) one does not want to expose all USB devices to a browser application.

WebAuthn spec has recently been finalized: https://www.w3.org/TR/webauthn/

Support for U2F/WebAuthn is available in major browsers like Firefox and Chrome/ium.

Proposed solution

Another special abstraction (and permission) for U2F/WebAuthn access.

Actually, the security and isolation-focused distro Qubes OS does already have developed a model, abstraction and even software that can be used in their distro to abstract that: https://www.qubes-os.org/doc/u2f-proxy/ source code: https://github.com/QubesOS/qubes-app-u2f

The doc is really worth a read!

So maybe some kind of new portal? Or new permission?

Also discussed at

GitHub of the experimental inofficial Firefox flatpaks, see https://github.com/xhorak/firefox-devedition-flatpak/issues/51 https://github.com/xhorak/firefox-devedition-flatpak/issues/87 https://github.com/xhorak/firefox-devedition-flatpak/issues/95
Fedora Discourse regarding Fedora Silverblue: https://github.com/xhorak/firefox-devedition-flatpak/issues/95

Other useful links

https://en.wikipedia.org/wiki/Universal_2nd_Factor https://en.wikipedia.org/wiki/WebAuthn

(sponsored sites, but visibly nice) https://webauthn.guide/ https://webauthn.io/

msirringhaus commented 11 months ago

The authenticator-rs work can be re-used in the portal implementation itself.

Just a quick note: While not a Mozilla-employee (and thus not able to steer the crate in whatever direction I want), I'm responsible for a large part of that code (CTAP2/2.1). If you need special work done, to integrate auth-rs into the portal, feel free to ping me (or open a bugreport over at auth-rs). I'll see, if I can help.

iinuwa commented 5 months ago

FYI, for anyone following this issue, I haven't forgotten about it, I just have a lot less time than I thought, and estimating is hard :).

I've done some more research and I think I've landed on having the public API basically look like Google's Credential Manager Jetpack API. I think it's simple and pretty well designed.

I'm trying to figure out what the API for the backends will need to be; I'm working on a prototype to start working out the kinks. It's not high quality at all, but the repo is public if anyone wants to follow along. The sequence diagrams would be of most interest right now: https://github.com/iinuwa/linux-webauthn-platform-api/blob/main/doc/scenarios.md.

TingPing commented 5 months ago

@iinuwa I think your repo is private.

iinuwa commented 5 months ago

@iinuwa I think your repo is private.

@TingPing Fixed, thanks.

mcatanzaro commented 2 months ago

See also this blog post by Alfio, which lays out a higher-level design

flatpak / xdg-desktop-portal