Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add passkeys as a login method #11

Open
nikosdion opened this issue May 26, 2023 · 0 comments
Open

Add passkeys as a login method #11

nikosdion opened this issue May 26, 2023 · 0 comments
Labels
Planned Will work on it
Milestone
1.4

Comments

@nikosdion
Copy link
Member

nikosdion commented May 26, 2023
edited
Loading

Currently, passkeys can only be used as an MFA method.

We can add passkeys as a login method, allowing users to log into Panopticon using their passkey.

There are two types of passkeys we need to support:

  • Username + passkey (roaming authenticator)
  • Passkey only (resident authenticator)

⚠️ Resident authenticators are mostly useful with software-based passkeys such as TouchID / FaceID, Windows Hello, Android biometric lock, 1Password, etc. Hardware-based passkeys are impractical since the majority of hardware FIDO2 keys have a limited number of resident key slots (typically around 10).

At a System Configuration level you have the following options:

  • Login with passkey. Default: enabled
  • Bypass MFA when using a passkey. Default: yes
  • Disable password login when login with passkey is set up: Never, Always, Let the user decide. Default: Let the user decide.
  • Force login with passkey for these groups. Default: none selected.

A new area in the user account will let us manage login passkeys. Adding a new passkey will have an option for a resident or roaming passkey to let users determine which one they want to use.

If “Disable password login when login with passkey is set up” is set to “Let the user decide” AND there is at least one passkey set up show another option:

  • Disable password login. Default: no

⚠️ We are NOT going to use attestation because of the various problems it creates among cheaper authenticator options, as we found out contributing this feature to Joomla a few years ago.

The login page will have a Login with Passkey button below the login button if the feature is enabled.

If “Disable password login when login with passkey is set up” is a. set to Always; or b. set to “Let the user decide” and the user has enabled “Disable password login”:

  • always fail a password login attempt
  • disable password reset for the user
  • disable the password fields with a message that only logging in with a passkey is allowed (and ignore these fields in the controller, when saving the user)
  • if “Bypass MFA when using a passkey” is also enabled, disable MFA reset for the user

If the user is in a group listed in the “Force login with passkey for these groups”: restrict them to the user edit page upon login with a message that they need to set up a passkey. It's the same as the forced MFA.

If “Bypass MFA when using a passkey” is enabled and the user logged in with a passkey set the MFA success flag to true upon login so as to bypass MFA entirely.
@ThreeCatsMarketing ThreeCatsMarketing mentioned this issue May 19, 2024
Closed
@nikosdion nikosdion changed the title Add WebAuthn as a login method Add passkeys as a login method Jul 2, 2024
This was referenced Jul 2, 2024
Open
Open
@nikosdion nikosdion added this to the 1.4 milestone Jul 2, 2024
@nikosdion nikosdion added the Planned Will work on it label Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Planned Will work on it
Projects
None yet
Milestone
1.4
Development

No branches or pull requests
1 participant
@nikosdion