Replies: 2 comments 1 reply
-
|
Hi! That's a good question, and the answer isn't that simple. A few years ago, I was quite hipped by WebAuthn which was quite new and seemed very cool. I therefore decided to add it in LibreAuth. However, when I started to read more about it before diving into the implementation details, I realized WebAuthn has a huge drawback: there is absolutely no way to backup/transfer a physical device. If your device is lost/stolen/destroyed/whatever, you are locked out. The only answer to this was to ask users to always register at least 2 devices, which is not a good solution: since a typical user registers to new websites on a regular basis, all the devices have to be accessible and are therefore subject to be lost/stolen/destroyed together. In a similar way, if you want to upgrade to a new device, you have to enroll it on each website, one by one, which may take a tremendous amount of time. This issue is regularly discussed:
Clearly, as long as this issue remains, WebAuthn physical devices are not ready for production. The only viable option would be a virtual device, which would be close to a password manager and therefore isn't that much attractive. Because of this, I never started the WebAuthn implementation in LibreAuth (I don't want to spend time on things that would/should not be used). However, two month ago, FIDO published a white paper on multi-device FIDO credentials. While I haven't read it yet, it looks quite promising. Once the multi-device issue is solved, I will add WebAuthn to LibreAuth. Depending on how this issue is to be solved, I may event start a little earlier in order to implement parts that wouldn't change. |
Beta Was this translation helpful? Give feedback.
-
|
Well, the 9 pages long white paper didn't took me much time to read. As usual, FIDO brags about great they are, the passwordless future and so on without giving any details. The only useful information is that the server-side par wouldn't change at all: everything will take place in the operating system. Although the wite paper seems promising, the FAQ scares me a lot:
Using some big-corp private cloud platform is a no-go for me. I don't use it and will not use it. In addition of requiring the use of such private cloud platform, it explicitly says that sharing between platform is platforms is not supported and won't be, so it strongly suggest that you to use software/devices from the save vendor and do not ever switch to another one. Having a few big corps managing all your online identity is is a huge step towards a cyberpunk universe and I do not like it. Searching for this topic, I found Yubico's proposal for backup devices. It's a little bit older (November 2020), it's not perfect, but at least it explains what's actually going on. It doesn't seems to be the way things are heading, but it's still interesting to see what has been proposed earlier even if it's not the ideal solution. Still, I prefer this rather than relying on some big-corp private cloud platforms. Anyway, I think it's safe to start working on the server-side part. It should take some time for me to actually start on this since I have to read a lot about the technical details before starting to design the API. Furthermore, I will never encourage the use of GAFAM's cloud platform and, if that's the official direction, I would discourage it's use, which includes not including it in LibreAuth. |
Beta Was this translation helpful? Give feedback.
-
|
Hi, Thank you for taking of your time to look into this subject! I agree that the situation for multi-device is not good at the moment and the proposal from FIDO is also not really freedom compatible :-/ |
Beta Was this translation helpful? Give feedback.
-
Hi,
I'm reviewing crates for 2FA purpose and I've seen that WebAuthn is in the roadmap but it's strikedthrough.
What's the plan on WebAuthn?
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions