2FA: FIDO / U2F / yubikey support

[DanielHeath]

The current two-factor auth implementation only supports OTP (google authenticator) codes.

I'd like to also support physical keys that implement the FIDO standard (eg current-gen yubikeys), since that way I can recover my account if I lose my phone.

Has this come up anywhere else? The current design might need some tweaking as I'm unsure whether there is a nice way to use these on the command line.

[hsbt]

We welcomed your patch for this.

[DanielHeath]

The existing rails plugin for fido / u2f is GPL3 licenced; will that be compatible with this projects licencing requirements?

…

On 4/5/19 4:45 PM, SHIBATA Hiroshi wrote: We welcomed your patch for this. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1948 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC5RlM2UXH4tARWL9FGlqvnlfewiCB3ks5vduMXgaJpZM4ceK41>.

[bdewater]

Not sure which plugin you're referring to, but as an alternative https://github.com/cedarcode/webauthn-ruby is MIT licensed just like this project itself.

For command line https://github.com/sorah/clarion might be a solution, which uses the same gem.

[DanielHeath]

Webauthn is the previous spec; new keys use FIDO.

There's https://github.com/castle/ruby-u2f (MIT licence) and https://github.com/TwoFactorAuth/ruby (AGPL3 / commercial licence). My gut feeling is that the latter is easier to integrate, though I could be wrong.

[bdewater]

Webauthn is the previous spec; new keys use FIDO.

You're mixing a few things up. U2F was added to Chrome 38 in 2014, the FIDO Alliance submitted FIDO 2.0 APIs to the W3C in 2015 for standardization, which happened last month when WebAuthn became a W3C standard. The spec specifically mentions backwards compatibility with U2F.

FIDO 2.0 comprises of WebAuthn as the browser API and Client To Authenticator Protocol for communicating with CTAP1 (U2F) and CTAP2 hardware.

[ecnelises]

FIDO 2.0 comprises of WebAuthn as the browser API and Client To Authenticator Protocol for communicating with CTAP1 (U2F) and CTAP2 hardware.

So U2F will become legacy?

[bdewater]

Yes, but U2F remains supported.

A big reason for the new API and CTAP2 hardware is that it besides being used as a second factor, it makes a secure multifactor passwordless login experience possible, by way of resident keys and testing for user verification (instead of just user presence). E.g. the Feitian Biopass FIDO2 would show something you have and something you are, but it could also be your Android smartphone.

[grzuy]

Prototype for this: #2108.