Closed gunnarif closed 11 months ago
To clarify. You onboard the key after you do a normal login with auðkenni. You can then use the key to allow longer sessions, when that session times out you still have to use auðkenni.
@eirikurn
cc @hrefnalind
This is an interesting suggestion to provide better UX in our identity server.
If the user opts in, then we could "remember" the user for 30-60 days, and when the user comes back they only have to use FaceID, TouchID or some other secure authentications, instead of full electronic ID.
Though this would be a fairly big task and we'd need to consider how this could fit into the trust framework.
@eirikurn I do not agree with what you describe.
A user logs in normally using auðkenni and gets in, he then adds a WebAuthN credential to his account. From that point onwards he can log in using username password and 2fa credential (f.ex by touching his security key, or by providing fingerprint to it or similar).
After a user establishes this kind of secure credential, talking to auðkenni at all is redundant.
You can even go further and let the user add a Discoverable Credential and the login process for the user becomes: Click sign in with security key, provide FIDO2 pin or similar challenge, and then touch the security key.
All of the above is unphishable due to how the protocol is designed.
Thank you for the feature request and your suggestion. We will review this solution and see if it fits island.is the authentication system.
@gunnarif or @Gunni do you know of any service provider that is using the standard ?
@gunnarif or @Gunni do you know of any service provider that is using the standard ?
The big ones would be
And many, many others.
Note that WebAuthN is not a service, it is a protocol that you implement on your web service and users can use it if they have the security keys that implement it. So no service fees, no contracts, no worrying about service provider outages, etc...
In your case, you can always fallback to using auðkenni if user loses their WebAuthN security key, so you never need to fallback insecurely or provide insecure "backup" methods of signing in.
Getum við gert upvote? FIDO2 væri mikil dásemd að fá
@eirikurn I do not agree with what you describe.
A user logs in normally using auðkenni and gets in, he then adds a WebAuthN credential to his account. From that point onwards he can log in using username password and 2fa credential (f.ex by touching his security key, or by providing fingerprint to it or similar).
After a user establishes this kind of secure credential, talking to auðkenni at all is redundant.
You can even go further and let the user add a Discoverable Credential and the login process for the user becomes: Click sign in with security key, provide FIDO2 pin or similar challenge, and then touch the security key.
All of the above is unphishable due to how the protocol is designed.
I think we're basically talking about the same thing.
Couple of notes:
The big problem with credentials that are non-local to the device you are browsing on, is that you can be fooled into accepting the challenge on a fake domain, and therefore authenticating an attacker...
A demonstration I saw on a Facebook post discussing this
With FIDO2 the user is UNABLE TO accept such a challenge, because the challenge will not succeed because the domain is incorrect. The user has NO recourse to bypass or override that.
Popping up a number and saying don't accept unless this unless the number matches is pointless, because:
FIDO2 prevents all of that by:
This issue's been twiddling its thumbs for 5 days. Daydreaming, perhaps? Best do something or it's curtains in 1 day. Nudge off the stale label to give it another go.
This issue's shut up shop. Gave it a day post-stale, then decided, "Enough's enough!"
I'd like this to be reconsidered. Account takeovers are getting more common.
PDF: FIDO Alliance White Paper: Using FIDO with eIDAS Services
Conclusions
To summarize, FIDO2 provides an easy-to-use and secured alternative to other potentially phishable solutions. The FIDO2 standard is suitable as the authentication mechanism for substantial or high assurance levels for both eID schemes and for authentication to a remote signing QTSP, as defined in the eIDAS regulation
How is this @eirikurn?
How about this, enroll the FIDO2 credential during in-person handoff, and don't allow user enrollment of FIDO2 credentials?
That way you control what devices are used?
I mean you can already control that server side too but still.
Austrian government adds YubiKeys to its electronic ID system.
We are falling behind.
Add WebAuthn standard as a way to login to Ísland.is. This will allow FIDO security keys like YubiKey, log in with fingerprints, window hello and many more very secure methods.
Try out and read about WebAuthn at https://webauthn.io/