sciapp / sampledb

Sample and Measurement Metadata Database
https://scientific-it-systems.iffgit.fz-juelich.de/SampleDB/
MIT License
21 stars 11 forks source link

FIDO integration #20

Open nilsholle opened 3 years ago

nilsholle commented 3 years ago

Yubico provides a library for integrating FIDO (two factor) authentication in Python applications, see here: https://github.com/Yubico/python-fido2/tree/master/examples/server. I think this could greatly enhance security in SampleDB (and allow for much shorter passwords). What are your general thoughts on this?

A second and similar addition might be time-based one-time passwords (TOTP), but I haven't looked into existing solutions for this yet.

FlorianRhiem commented 3 years ago

Hey @nilsholle,

I'm open to something like this, as two factor authentication is definitely useful. I haven't used a U2F/FIDO2 based authenticator yet and don't have any experience with supporting them in a web service, so I might not be the best person to implement this, but a pull request for this would definitely be welcome.

Looking at FIDO and the Web Authentication API, I think it could be implemented as another authentication option (the passwordless FIDO variant), and/or SampleDB could be extended with support for various two factor authentication methods, with the Web Authentication API being the first of those, so users would be able to sign in using any authentication method they have active and would then need to use the Web Authentication API as the second factor (if enabled / set up). I don't know yet how something like this could work for authentication for the HTTP API, though my guess is that it won't work particularly well. However, users with two factor auth are likely not the (bot) users using the HTTP API, so that shouldn't be an issue.

If you'd be able to handle the FIDO/U2F/WebAuthentication related code, I could set up the basic infrastructure for two factor authentication methods.

nilsholle commented 3 years ago

Hi, Thanks for the positive feedback! I haven't implemented FIDO in other applications myself, but looking at the example, I think I should be able to handle this. I would be very happy if you could set up the basic infrastructure for two-factor authentication. If I see correctly, this part would also have to come first, am I right? At least storage of the FIDO credentials would have to be ready first.

nilsholle commented 3 years ago

Of course things would be a little different if FIDO would be used as an alternative to the login via password and not as a second factor... personally, I would be open to both.

FlorianRhiem commented 3 years ago

I have implemented the basic infrastructure for two factor authentication (in commit f1b9a38583e3d81275b3438cb81168788dbb4c1e) along with a TOTP-based two factor authentication method (in commits 39960a0b4ee720e996c97c571a3b44452f41922c and a6cf095358df1b72291dfdd640f25ca9882797ee). You can use those changes as an example of what you will need to do to implement the WebAuth / FIDO / U2F based method.

If you have any questions, let me know.

FlorianRhiem commented 10 months ago

I have implemented the use of FIDO2 passkeys for two-factor authentication or (if enabled by an admin) as a standalone authentication method in the current development version.