Feature request: Add WebAuthn standard for login into island.is

[gunnarif]

Add WebAuthn standard as a way to login to Ísland.is. This will allow FIDO security keys like YubiKey, log in with fingerprints, window hello and many more very secure methods.

Try out and read about WebAuthn at https://webauthn.io/

[gunnarif]

To clarify. You onboard the key after you do a normal login with auðkenni. You can then use the key to allow longer sessions, when that session times out you still have to use auðkenni.

@eirikurn

[eirikurn]

cc @hrefnalind

This is an interesting suggestion to provide better UX in our identity server.

If the user opts in, then we could "remember" the user for 30-60 days, and when the user comes back they only have to use FaceID, TouchID or some other secure authentications, instead of full electronic ID.

Though this would be a fairly big task and we'd need to consider how this could fit into the trust framework.

[Gunni]

@eirikurn I do not agree with what you describe.

A user logs in normally using auðkenni and gets in, he then adds a WebAuthN credential to his account. From that point onwards he can log in using username password and 2fa credential (f.ex by touching his security key, or by providing fingerprint to it or similar).

After a user establishes this kind of secure credential, talking to auðkenni at all is redundant.

You can even go further and let the user add a Discoverable Credential and the login process for the user becomes: Click sign in with security key, provide FIDO2 pin or similar challenge, and then touch the security key.

All of the above is unphishable due to how the protocol is designed.

[hrefnalind]

Thank you for the feature request and your suggestion. We will review this solution and see if it fits island.is the authentication system.

[hrefnalind]

@gunnarif or @Gunni do you know of any service provider that is using the standard ?

[Gunni]

@gunnarif or @Gunni do you know of any service provider that is using the standard ?

Support in browsers

The big ones would be

• Google (also has a security key ONLY method, without insecure fallback)
• Microsoft
• Facebook
• GitHub
• DropBox
• Twitter

And many, many others.

Note that WebAuthN is not a service, it is a protocol that you implement on your web service and users can use it if they have the security keys that implement it. So no service fees, no contracts, no worrying about service provider outages, etc...

In your case, you can always fallback to using auðkenni if user loses their WebAuthN security key, so you never need to fallback insecurely or provide insecure "backup" methods of signing in.

[sporri]

Getum við gert upvote? FIDO2 væri mikil dásemd að fá

[eirikurn]

@eirikurn I do not agree with what you describe.

A user logs in normally using auðkenni and gets in, he then adds a WebAuthN credential to his account. From that point onwards he can log in using username password and 2fa credential (f.ex by touching his security key, or by providing fingerprint to it or similar).

After a user establishes this kind of secure credential, talking to auðkenni at all is redundant.

You can even go further and let the user add a Discoverable Credential and the login process for the user becomes: Click sign in with security key, provide FIDO2 pin or similar challenge, and then touch the security key.

All of the above is unphishable due to how the protocol is designed.

I think we're basically talking about the same thing.

Couple of notes:

• If we were to adopt FIDO2, it's tempting to go straight for something like Discoverable Credentials, since that would be similar to how the upcoming Island.is App will work. There you perform electronic ID once, then you can use local device auth to get into the app from then on.
• The SPs you listed are huge, but some of our SPs are way more paranoid than them, even more than online banks. Heilsuvera for example does not even support two factor Íslykill and instead requires Electronic ID for all authentications.
• There is a general POV in gov that Electronic IDs are the only/most secure form of true digital authentication, since it is linked to you (through a SIM/app on your phone) and the only way to get it is through physical authentication (eg in a bank). All other methods of digital authentication get compared to that "gold standard", and are generally trusted less since they are easier to "share".
• In the Island.is app, I think we'll require a "full" electronic ID authentication periodically to make sure you are who you are, and not someone who somehow authenticated with your electronic ID once. This is why I suggested using FIDO2 to support similar functionality on the web; eg "remember the user for 30-60 days".
• FIDO2 may complicate the trust-system of the IDP for our local SPs on one hand as well as European SP through eIDAS. It would open up a whole world of "authentication options", where we're basically putting our trust in the user's setup/hardware. As I understand it, the authentication could theoretically be anything from an insecure browser extension to a hardware based DNA check.
• For our own SPs, we could list Webauthn as a supported authentication method so the SPs can decide for themselves if they want to support it. However, the eIDAS certification process is so convoluted that I'm not sure if we could support FIDO2 for those SPs except with a fairly low trust rating.

[Gunni]

The big problem with credentials that are non-local to the device you are browsing on, is that you can be fooled into accepting the challenge on a fake domain, and therefore authenticating an attacker...

A demonstration I saw on a Facebook post discussing this

With FIDO2 the user is UNABLE TO accept such a challenge, because the challenge will not succeed because the domain is incorrect. The user has NO recourse to bypass or override that.

Popping up a number and saying don't accept unless this unless the number matches is pointless, because:

1. The user doesn't need to enter it
2. Even if they had to enter it, the attacker controlled website could just show the number being requested by the real origin

FIDO2 prevents all of that by:

1. Working with the browser
2. Validating that the domain the browser is on is correct

[andes-it]

This issue's been twiddling its thumbs for 5 days. Daydreaming, perhaps? Best do something or it's curtains in 1 day. Nudge off the stale label to give it another go.

[andes-it]

This issue's shut up shop. Gave it a day post-stale, then decided, "Enough's enough!"

[Gunni]

I'd like this to be reconsidered. Account takeovers are getting more common.

[Gunni]

PDF: FIDO Alliance White Paper: Using FIDO with eIDAS Services

Conclusions

To summarize, FIDO2 provides an easy-to-use and secured alternative to other potentially phishable solutions. The FIDO2 standard is suitable as the authentication mechanism for substantial or high assurance levels for both eID schemes and for authentication to a remote signing QTSP, as defined in the eIDAS regulation

How is this @eirikurn?

[Gunni]

How about this, enroll the FIDO2 credential during in-person handoff, and don't allow user enrollment of FIDO2 credentials?

That way you control what devices are used?

I mean you can already control that server side too but still.

[Gunni]

Austrian government adds YubiKeys to its electronic ID system.

We are falling behind.