•  
      epic #31170 Passkeys / WebAuthn
    Summary
    Passkeys / WebAuthn
    Authentication & LDAP

    Overview

    Add WebAuthn protocol and use of passkeys in Tuleap.

    There are two main usage of passkeys that are targeted:

    • Authentication
    • Strength sensitive part of the application

    Regarding authentication, the goal is to support Passkeys as authentication factor (to replace usage of passwords) in the situation where Tuleap is the authentication authority. It's not planned to add support of Passkeys as second factor (2FA) because

    1. It would require a massive refactoring of the authentication backend
    2. Using passkeys as authentication factor already bake-in 2FA
    3. If you really need 2FA, you can connect to a 3rd party auth system that will do it for you and then use OpenID Connect.

    At the moment, it's however not possible to use passkeys as authentication factor without leaking information about the user:

    To use passkey as first authentication factor you first need a form with one input: the username. Then you ask the backend for registered passkeys linked to this username. It's a possible leak, you can know by testing all possible username who have (or have not) registered a passkey. You can avoid that by creating false passkey for users without one, but a pattern can be detected and it becomes useless, there is no ideal solutions. The documentation also enumerate some other leaks. In a general way, at the current state of WebAuthn API, it's not recommended to do primary authentication with it.

    Empty
    Progress
    Empty
    Empty
    Closed
    Details
    #31170
    Kevin Traini (ktraini)
    2023-12-08 09:50
    2023-03-20 11:33
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Kevin Traini (ktraini)2023-12-08 09:50
    • Description
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Description
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes