21 comments

[ 5.9 ms ] story [ 57.9 ms ] thread
Is this software to emulate fido2 without a hardware key, or is it software to allow non Web clients to access fido2 devices, or something else ?

I already use fido2 on Linux with a hardware key for a while now. So I'm finding this a bit confusing.

If I understand it correctly, it's to use fido2 without firefox or other browser. I support any spread of this and am looking forward to (having the time) to read it
But Linux already supports FIDO2 without Firefox, I use fido2 with sudo, LUKS and ssh keys (gpg as well, but it uses a custom agent). But maybe those use their own custom implementation of the fido protocol?

Didn't really look this up tbh, it just works right now.

sudo, LUKS, and OpenSSH each dynamically link and use Yubico's `libfido2`. That supports FIDO2 well on Linux.
Meaning this is an alternative to yubico libfido2, gotcha. Thanks.
Looks like a DBus API for FIDO2, so it would let any browser or non-browser app to authenticate via FIDO2. It looks pretty neat!
Ah that makes sense!

So it's a way to allow stuff to communicate with fido2 capable devices without having any dependency other than this and dbus, nice

As far as I can tell, it's a library that implements CTAP2 (which it erroneously refers to as webauthn).
This appears to be an alternative to Yubico's `libfido2`. It is software which OTHER software on your computer can use to connect to a FIDO2 authenticator over Bluetooth, USB, etc.

The primary benefit is that Firefox wants Rust-language code for FIDO2 support, so hopefully this library will (eventually) fill that gap and get Firefox-on-Linux to proper FIDO2 Webauthn support.

Hmmm but Firefox on Linux already supports FIDO2, I can login to github and gitlab just fine with the existing implementation.
I bet you're using U2F/FIDO1. Or, more precisely, I bet you're not using CTAP2.

An easy test is to set a PIN on your authenticator, which is an operation that is supported in CTAP2 and unsupported in CTAP1. Does Firefox prompt you for a PIN when you go to authenticate? If no, you're using CTAP1.

My token has a global pin which when o unlock, I can authorise any request with a simple click. But for ssh keys I do have a pin for each one. The websites I've tried never requested for a pin when setting up.

Also LUKS does use FIDO2 https://www.freedesktop.org/software/systemd/man/systemd-cry...

Firefox (only talking about Firefox here) does not use CTAP2, to the best of my knowledge. What you think is "FIDO2" is likely actually U2F/CTAP1. Backwards compatibility with that protocol is part of the FIDO2 spec, but it doesn't enable no-username-provided authentication. LUKS uses libfido2, which supports CTAP2 (and most of CTAP2.1).
> Windows Hello, Android's FIDO2 support, Apple's TouchID and FaceID, are all examples of platform authenticators. There is no reason why the Linux desktop community could not enjoy similar benefits

Don't those platforms all rely on strict sandboxing and code signing, so that funny-dancing-monkey.exe can't rename itself to google-chrome.exe then perform a passwordless sign-on to google.com ?

I always thought this stuff was slow to arrive on Linux because it demands things that are incompatible with the free-software ethos.

You can do strict sandboxing on Linux, too (e. g. with Flatpak).
Yeah, but that only sandboxes the applications that opt in.

If you want to stop malicious applications from doing malicious things, even when the system owner unwisely grants them permission, you need mandatory sandboxing that the system owner can't bypass.

And that isn't compatible with the free software ethos.

I don't think that's necessarily true. All you need is default-on sandboxing that is "painfully obviously wrong" for the system owner to bypass. As a case in point, look at macOS. You can bypass almost every security feature in macOS by rebooting to recovery and disabling CSR, AMFI and whatnot. And even after disabling all this, touchID will still work, and I believe it will still be accepted as a platform authenticator.

I think something similar could be compatible with free software ethos.

This exactly. Bypassing sandbox should be like installing software from tarball as opposed to package managers: possible but pretty much discouraged, an “escape hatch” of sorts.
Android is Linux, and most of those sandboxing changes have been upstreamed.