Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIDO integration #20

Open
nilsholle opened this issue Aug 24, 2021 · 5 comments
Open

FIDO integration #20

nilsholle opened this issue Aug 24, 2021 · 5 comments

Comments

@nilsholle
Copy link
Contributor

Yubico provides a library for integrating FIDO (two factor) authentication in Python applications, see here: https://github.com/Yubico/python-fido2/tree/master/examples/server. I think this could greatly enhance security in SampleDB (and allow for much shorter passwords). What are your general thoughts on this?

A second and similar addition might be time-based one-time passwords (TOTP), but I haven't looked into existing solutions for this yet.
@FlorianRhiem
Copy link
Member

Hey @nilsholle,

I'm open to something like this, as two factor authentication is definitely useful. I haven't used a U2F/FIDO2 based authenticator yet and don't have any experience with supporting them in a web service, so I might not be the best person to implement this, but a pull request for this would definitely be welcome.

Looking at FIDO and the Web Authentication API, I think it could be implemented as another authentication option (the passwordless FIDO variant), and/or SampleDB could be extended with support for various two factor authentication methods, with the Web Authentication API being the first of those, so users would be able to sign in using any authentication method they have active and would then need to use the Web Authentication API as the second factor (if enabled / set up). I don't know yet how something like this could work for authentication for the HTTP API, though my guess is that it won't work particularly well. However, users with two factor auth are likely not the (bot) users using the HTTP API, so that shouldn't be an issue.

If you'd be able to handle the FIDO/U2F/WebAuthentication related code, I could set up the basic infrastructure for two factor authentication methods.

@nilsholle
Copy link
Contributor Author

Hi,
Thanks for the positive feedback! I haven't implemented FIDO in other applications myself, but looking at the example, I think I should be able to handle this. I would be very happy if you could set up the basic infrastructure for two-factor authentication. If I see correctly, this part would also have to come first, am I right? At least storage of the FIDO credentials would have to be ready first.

@nilsholle
Copy link
Contributor Author

Of course things would be a little different if FIDO would be used as an alternative to the login via password and not as a second factor... personally, I would be open to both.

@FlorianRhiem
Copy link
Member

I have implemented the basic infrastructure for two factor authentication (in commit f1b9a38) along with a TOTP-based two factor authentication method (in commits 39960a0 and a6cf095). You can use those changes as an example of what you will need to do to implement the WebAuth / FIDO / U2F based method.

If you have any questions, let me know.

@FlorianRhiem
Copy link
Member

I have implemented the use of FIDO2 passkeys for two-factor authentication or (if enabled by an admin) as a standalone authentication method in the current development version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FlorianRhiem @nilsholle