-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIDO integration #20
Comments
Hey @nilsholle, I'm open to something like this, as two factor authentication is definitely useful. I haven't used a U2F/FIDO2 based authenticator yet and don't have any experience with supporting them in a web service, so I might not be the best person to implement this, but a pull request for this would definitely be welcome. Looking at FIDO and the Web Authentication API, I think it could be implemented as another authentication option (the passwordless FIDO variant), and/or SampleDB could be extended with support for various two factor authentication methods, with the Web Authentication API being the first of those, so users would be able to sign in using any authentication method they have active and would then need to use the Web Authentication API as the second factor (if enabled / set up). I don't know yet how something like this could work for authentication for the HTTP API, though my guess is that it won't work particularly well. However, users with two factor auth are likely not the (bot) users using the HTTP API, so that shouldn't be an issue. If you'd be able to handle the FIDO/U2F/WebAuthentication related code, I could set up the basic infrastructure for two factor authentication methods. |
Hi, |
Of course things would be a little different if FIDO would be used as an alternative to the login via password and not as a second factor... personally, I would be open to both. |
I have implemented the basic infrastructure for two factor authentication (in commit f1b9a38) along with a TOTP-based two factor authentication method (in commits 39960a0 and a6cf095). You can use those changes as an example of what you will need to do to implement the WebAuth / FIDO / U2F based method. If you have any questions, let me know. |
I have implemented the use of FIDO2 passkeys for two-factor authentication or (if enabled by an admin) as a standalone authentication method in the current development version. |
Yubico provides a library for integrating FIDO (two factor) authentication in Python applications, see here: https://github.com/Yubico/python-fido2/tree/master/examples/server. I think this could greatly enhance security in SampleDB (and allow for much shorter passwords). What are your general thoughts on this?
A second and similar addition might be time-based one-time passwords (TOTP), but I haven't looked into existing solutions for this yet.
The text was updated successfully, but these errors were encountered: