search

sebadob / rauthy

OpenID Connect Single Sign-On Identity & Access Management
https://sebadob.github.io/rauthy/
Apache License 2.0
354 stars 20 forks source link

Add support for TOTP 2FA? #538

Closed danya02 closed 3 months ago

danya02 commented 3 months ago

There are currently certain issues with WebAuthn passkey support and usability across platforms. For example, on my desktop Firefox browser, I can only use the Yubikey I have plugged in, and while it's meant to be possible to perform a FIDO handoff between an Apple and an Android device, I can't seem to figure out how to do this (definitely not within the default Rauthy WebAuthn interaction timeout).

A much more resilient 2FA solution is TOTP, as generated by the likes of Google Authenticator and Authy. This involves a secret stored in the app being combined with the current time to give a 6-sigit code to be typed on the keyboard within 30 seconds. This works with any user-agent, including those that have no support for FIDO/WebAuthn, and the secret can be stored and backed up using the code-generating app's standard features.

This method has slightly lower security than passkeys, being based on a shared secret that can be intercepted during initial enrollment. However, in my opinion its resilience to hardware and compatibility issues is a fairly significant advantage, and it should be available as an option in most 2FA schemes (though maybe discouraged as the only way to do it).

Are there any plans to implement TOTPs in Rauthy?

sebadob commented 3 months ago

Thanks for the issue.

TOTPs will not be implemented in any way, no. The reason is that they are an absolute nightmare for the UX and provide a false sense of security. They can be safe, but only when you do it right. Most people however just generate them on the same device they use for logging in or using shared secrets in some cloud. In this case you will only get the bad parts of them but not the effect you want. On top of it, in my experience people will avoid them at all costs, if they are not forced into the system.

For example, on my desktop Firefox browser, I can only use the Yubikey I have plugged in,

This is actually a good thing, not bad. You don't want your 2FA / MFA to be shareable. Just plug the key into the device where you need it. Or just register multiple ones. I know there are issues with Passkeys (thanks Google ...), but all other options are far worse.

I can only use the Yubikey I have plugged in, and while it's meant to be possible to perform a FIDO handoff between an Apple and an Android device, I can't seem to figure out how to do this

You can register as many keys for your account as you like. You can use your Yubikey on your desktop and register a "sign in with fingerprint" for instance on your android phone.

definitely not within the default Rauthy WebAuthn interaction timeout

If you really need to, you can lower the security and configure this of course, but I would not recommend it.

In the end, if you want to share your 2FA or credentials in general between all your devices, I recommend to just use a good password manager (nothing built-in to your system like apples own solution, use something like Bitwarden) and use secure passwords. Against all beliefs, passwords are not insecure at all, you just have to handle them correctly. Since the same is true for TOTP while you get a nightmare of a UX on top, I don't see any benefit of implementing this.

danya02 commented 3 months ago

Hi. Thanks for the quick reply!

Just plug the key into the device where you need it.

That only works if there is a key to be plugged. I'm one of the few people around here who has a Yubikey at all, and it's a Nano-sized one, meaning it's a pain to extract it from the computer's USB slot and you aren't really meant to do it often. But if the only WebAuthn device you have is your smartphone, then that presents an issue.

You don't want your 2FA / MFA to be shareable.

I thought that was one of the main points behind passkeys as a marketing concept. In an ideal world, you'd come to a new computer, enter your login, then point your phone's camera at the screen, and it would use the credentials stored on the phone to log you into the computer (whereupon you may choose to enroll that computer as a credential).

But right now, if I had initially set up a Rauthy account on my Android phone, I wouldn't be able to log into that account on my desktop, or my Apple iPad, because the former doesn't do WebAuthn QR-based cross-device authentication, while the latter does but my phone doesn't (or I'm too dumb to figure it out, I guess).

I guess I'm just thinking of a worst-case emergency scenario, where your smartphone's Wi-Fi and cellular doesn't work, and you can only access the internet from a locked-down computer that isn't yours, and you need to log into the system ASAP to fix an outage or whatever.

I guess my regular account could wait in this scenario, but I understand the admin to be a kind of "break-glass" account, and you're in for a really bad time if you get locked out of that.

The benefit of TOTP in my eyes is that it works across any combination of transports: it just needs to arrive at the input text box, and it doesn't matter if it gets there by typing at the keyboard directly, over a wireless keyboard from across the room, over VNC or over a phone call (which I've had to do a couple times -- though that's equally a downside, because the TOTP code can then be phished).

In short, the decision to avoid TOTP means that you gain Confidentiality and Integrity, but at a cost of a noticeable decrease in Availability. I've still to figure out whether the trade-off is worth it for me.

sebadob commented 3 months ago

That only works if there is a key to be plugged. I'm one of the few people around here who has a Yubikey at all, and it's a Nano-sized one, meaning it's a pain to extract it from the computer's USB slot and you aren't really meant to do it often. But if the only WebAuthn device you have is your smartphone, then that presents an issue.

That makes sense. But apart from that, you should never have just a single Webauthn device. You always want a backup, at least somewhere at home or in a safe place, just in case you lose your primary key or it gets stolen. You should always register at least 2 passkeys.

I thought that was one of the main points behind passkeys as a marketing concept. In an ideal world, you'd come to a new computer, enter your login, then point your phone's camera at the screen, and it would use the credentials stored on the phone to log you into the computer (whereupon you may choose to enroll that computer as a credential).

Yes, shareable as a hardware key makes sense. This is always secure. Shareable as software makes you vulnerable again, at least to some degree.

But right now, if I had initially set up a Rauthy account on my Android phone, I wouldn't be able to log into that account on my desktop, or my Apple iPad, because the former doesn't do WebAuthn QR-based cross-device authentication, while the latter does but my phone doesn't (or I'm too dumb to figure it out, I guess).

This is very easily fixed, as mentioned in the docs.
Just log into your accoutn with all devices that could be problematic like android for instance, and then add keys on each device while being logged in everywhere. Adding a key will not log out other existing sessions, it will only be taken into account for new ones.

I guess I'm just thinking of a worst-case emergency scenario, where your smartphone's Wi-Fi and cellular doesn't work, and you can only access the internet from a locked-down computer that isn't yours, and you need to log into the system ASAP to fix an outage or whatever.

That's exactly why you should always have multiple keys registered.

The benefit of TOTP in my eyes is that it works across any combination of transports: it just needs to arrive at the input text box, and it doesn't matter if it gets there by typing at the keyboard directly, over a wireless keyboard from across the room, over VNC or over a phone call (which I've had to do a couple times -- though that's equally a downside, because the TOTP code can then be phished).

True, but since it does not boost the security that much compared to a good password, I would rather stick with just a secure password in that case, if you really don't want to use Passkeys / Webauthn.

In the very early days, before we even had proper passkey support, I maintained a dedicated Rauthy Authenticator for internal use. This has been dropped as soon as passkeys became useable, because it was super annoying in many ways.