Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      epic #31170 Passkeys / WebAuthn
    Actions
    Summary
    Passkeys / WebAuthn
    Authentication & LDAP

    Overview

    Add WebAuthn protocol and use of passkeys in Tuleap.

    There are two main usage of passkeys that are targeted:

    • Authentication
    • Strength sensitive part of the application

    Regarding authentication, the goal is to support Passkeys as authentication factor (to replace usage of passwords) in the situation where Tuleap is the authentication authority. It's not planned to add support of Passkeys as second factor (2FA) because

    1. It would require a massive refactoring of the authentication backend
    2. Using passkeys as authentication factor already bake-in 2FA
    3. If you really need 2FA, you can connect to a 3rd party auth system that will do it for you and then use OpenID Connect.

    At the moment, it's however not possible to use passkeys as authentication factor without leaking information about the user:

    To use passkey as first authentication factor you first need a form with one input: the username. Then you ask the backend for registered passkeys linked to this username. It's a possible leak, you can know by testing all possible username who have (or have not) registered a passkey. You can avoid that by creating false passkey for users without one, but a pattern can be detected and it becomes useless, there is no ideal solutions. The documentation also enumerate some other leaks. In a general way, at the current state of WebAuthn API, it's not recommended to do primary authentication with it.

    Artifact links

    User stories

    Child

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    story #31173 Tuleap User stories register a new passkey Done 2023-19-05 14:17 Kevin Traini (ktraini)
    story #31174 Tuleap User stories see my registered passkeys Done 2023-21-06 09:46 Kevin Traini (ktraini)
    story #31175 Tuleap User stories delete a registered passkey Done 2023-21-06 09:47 Kevin Traini (ktraini)
    story #31177 Tuleap User stories check my identity when doing a risky action Done 2023-18-07 15:25 Kevin Traini (ktraini)
    story #31178 Tuleap User stories see keys of a user Done 2023-11-07 16:04 Kevin Traini (ktraini)
    story #31179 Tuleap User stories delete a key of a user Done 2023-06-07 11:45 Kevin Traini (ktraini)
    story #33005 Tuleap User stories login with only my passkey Done 2023-14-11 15:58 Kevin Traini (ktraini)
    story #33657 Tuleap User stories have passkey plugin delivered as rpm Done 2023-15-11 11:46 Marie Ange Garnier (marieange)
    Progress
    Empty
    Empty
    Closed
    Details
    #31170
    Kevin Traini (ktraini)
    2023-12-08 09:50
    2023-03-20 11:33
    Attachments
    Empty
    References
    Referencing epic #31170

    Artifact Tracker v5

    story #11649 protect my account with a TOTP code

    Display settings

    Follow-ups

    User avatar
    Kevin Traini (ktraini)2023-12-08 09:50
    • Description
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Manuel Vacelet (vaceletm)2023-12-07 17:09
    • Description
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes