New Issue

Allow new account registration with WebAuthn #9753

Open

opened by cutestnekoaqua · 16 comments

cutestnekoaqua commented

Collaborator

What feature would you like implemented?

WebAuthn is a standard for hardware keys, and other methods of asyncronous authentication, it is used by facebook, twitter, and many others, and allows you to authenticate using YubiKeys for example.

More info and stuff to read up about:
https://webauthn.io/
https://www.youtube.com/watch?v=zJPNuORkvvk

Why should we add this feature?

To allow a secure way of authentication, for people with sensitive accounts or who could be targets of hackers, influencers and security researchers could need this for example

Version

develop

Instance

No response

What browser are you using?

Librewolf

Relevant log output

No response

Contribution Guidelines

I agree to follow this project's Contribution Guidelines

### What feature would you like implemented? WebAuthn is a standard for hardware keys, and other methods of asyncronous authentication, it is used by facebook, twitter, and many others, and allows you to authenticate using YubiKeys for example. More info and stuff to read up about: https://webauthn.io/ https://www.youtube.com/watch?v=zJPNuORkvvk ### Why should we add this feature? To allow a secure way of authentication, for people with sensitive accounts or who could be targets of hackers, influencers and security researchers could need this for example ### Version develop ### Instance _No response_ ### What browser are you using? Librewolf ### Relevant log output _No response_ ### Contribution Guidelines - [x] I agree to follow this project's Contribution Guidelines

👍 6 🚀 1

cutestnekoaqua added the

✨Feature

💬Discussion

labels

Froggo commented

Sounds good to me

panos commented

Owner

Agree, it sounds like a good idea, if it's easy to implement. However if it needs some work, I think it shouldn't be a priority, there's plenty more important things that would benefit all users more. Calckey doesn't even offer E2EE, so I don't think anyone should use it for such sensitive information that requires that level of security for login anyway.

👍 1

cutestnekoaqua commented

Poster

Collaborator

Agree, it sounds like a good idea, if it's easy to implement. However if it needs some work, I think it shouldn't be a priority, there's plenty more important things that would benefit all users more. Calckey doesn't even offer E2EE, so I don't think anyone should use it for such sensitive information that requires that level of security for login anyway.

thought was for preservation of identity, not getting your account hacked, there is much sensible info stored from your account, but yea I get your point

> Agree, it sounds like a good idea, if it's easy to implement. However if it needs some work, I think it shouldn't be a priority, there's plenty more important things that would benefit all users more. Calckey doesn't even offer E2EE, so I don't think anyone should use it for such sensitive information that requires that level of security for login anyway. thought was for preservation of identity, not getting your account hacked, there is much sensible info stored from your account, but yea I get your point

❤️ 3

tsuki commented

If we implement this (which I believe we should) we should make sure we support FIDO CTAP2 and platform authenticators so that users with access to windows hello and touch/face ID can use their devices as a security key

thatonecalculator commented

Owner

@tsuki wouldn't that be up to the WebAuthN standard/your browser's interface with security keys to support, not Calckey?

tsuki commented

@tsuki wouldn't that be up to the WebAuthN standard/your browser's interface with security keys to support, not Calckey?

I believe it's a combination of both, the browser has to support it but we must also generate the correct attestation to tell the browser what we will accept

> @tsuki wouldn't that be up to the WebAuthN standard/your browser's interface with security keys to support, not Calckey? I believe it's a combination of both, the browser has to support it but we must also generate the correct attestation to tell the browser what we will accept

thatonecalculator commented

Owner

So I guess that comes down to if https://github.com/MasterKale/SimpleWebAuthn supports it

cutestnekoaqua commented

Poster

Collaborator

There are many libs for it. We dont beed to use that specific one.

👍 1

thatonecalculator commented

Owner

Technically the package we use for hardware key authentication fully supports WebAuthN. We just need to:

it so that you don't need 2FA to use it. 4e843f2949
allow new accounts to be registered with a security key

Technically the package we use for hardware key authentication fully supports WebAuthN. We just need to: - [x] it so that you don't need 2FA to use it. https://codeberg.org/calckey/calckey/commit/4e843f2949d2ffcf1e5fa7ce3436f3fddae75f1c - [ ] allow new accounts to be registered with a security key ![image](/attachments/77959d52-9fec-46d5-9790-0bf96556c01c)

image.png

77 KiB

thatonecalculator changed title from ~~[Feature]: Support for WebAuthn~~ to Make WebAuthn not need 2FA beforehand

thatonecalculator changed title from ~~Make WebAuthn not need 2FA beforehand~~ to Allow new account registration with WebAuthn, and make WebAuthn not need 2FA beforehand

thatonecalculator changed title from ~~Allow new account registration with WebAuthn, and make WebAuthn not need 2FA beforehand~~ to Allow new account registration with WebAuthn

cutestnekoaqua commented

Poster

Collaborator

Technically the package we use for hardware key authentication fully supports WebAuthN. We just need to:

it so that you don't need 2FA to use it. 4e843f2949

allow new accounts to be registered with a security key

ah so accounts w/o pass, just key? this would need a db migration as well I believe, can look into that later sometime, or if someone else wants to, this is up for grabs

> Technically the package we use for hardware key authentication fully supports WebAuthN. We just need to: > > - [x] it so that you don't need 2FA to use it. https://codeberg.org/calckey/calckey/commit/4e843f2949d2ffcf1e5fa7ce3436f3fddae75f1c > - [ ] allow new accounts to be registered with a security key > > ![image](/attachments/77959d52-9fec-46d5-9790-0bf96556c01c) ah so accounts w/o pass, just key? this would need a db migration as well I believe, can look into that later sometime, or if someone else wants to, this is up for grabs

bh4 commented

That would be a very nice feature. Since signup with only key would be implemented, don't just limit it to webauthentication,i.e., allow customisation in the backend as well as the Sign-Up UI(by instance admin) so that other modes of signup like [firebase](https://feathersjs.com/cookbook/authentication/firebase.html) and [mobile OTP](https://docs.truecaller.com/truecaller-sdk/mobile-websites/integrating-with-your-mobile-website/fetch-user-profile) can be implemented by instance admin with little to moderate effort

👎 1

thatonecalculator commented

Owner

Relying on proprietary services isn't the goal for Calckey.

cutestnekoaqua commented

Poster

Collaborator

Relying on proprietary services isn't the goal for Calckey.

its not.

(by instance admin) so that other modes of signup like firebase and mobile OTP can be implemented by instance admin with little to moderate effort

reads like we can allow others to implement it themself. not we do it, by providing a auth api for plugins later

> Relying on proprietary services isn't the goal for Calckey. its not. > (by instance admin) so that other modes of signup like firebase and mobile OTP can be implemented by instance admin with little to moderate effort reads like we can allow others to implement it themself. not we do it, by providing a auth api for plugins later

bh4 commented

Yes, @cutestnekoaqua I mean't that calckey should additionally implement sign-up using webauthentication only. But it can-
i) Make the sign-up UI(for webauthentication) be configurable by instance admin so that the same can be used for mobile OTP sign-up by an instance admin who understands calckey's code and can implement mobile OTP signup himself/herself. Also, this will be beneficial for webauthentication signup also because if user is shown 'Sign up with webauthentication', it will be difficult for users to understand, but if the message is 'Sign up with webauthentication, i.e, fingerprint unlock, device unlock,yubikey,etc' it will be easier for user to understand. So, I want the sign-up UI for webauthentication to be configurable by system admin and not fixed like current email & password signup.
ii) In the backend signup with webauthentication will mean signup with one token(instead of 2 for email & password). The same is true for mobile OTP signup. So, I want calckey to implement fetching the token using webauthentication only but providing an option in control panel to allow overriding the way in which token is fetched(so that instance admin can use this option for implementing mobile OTP signup)

Yes, @cutestnekoaqua I mean't that calckey should additionally implement sign-up using webauthentication only. But it can- i) Make the sign-up UI(for webauthentication) be configurable by instance admin so that the same can be used for mobile OTP sign-up by an instance admin who understands calckey's code and can implement mobile OTP signup himself/herself. Also, this will be beneficial for webauthentication signup also because if user is shown 'Sign up with webauthentication', it will be difficult for users to understand, but if the message is 'Sign up with webauthentication, i.e, fingerprint unlock, device unlock,yubikey,etc' it will be easier for user to understand. So, I want the sign-up UI for webauthentication to be configurable by system admin and not fixed like current email & password signup. ii) In the backend signup with webauthentication will mean signup with one token(instead of 2 for email & password). The same is true for mobile OTP signup. So, I want calckey to implement fetching the token using webauthentication only but providing an option in control panel to allow overriding the way in which token is fetched(so that instance admin can use this option for implementing mobile OTP signup)

😕 1

bh4 commented

Is this a high priority or low priority feature?