If I understand it correctly, it's to use fido2 without firefox or other browser. I support any spread of this and am looking forward to (having the time) to read it
But Linux already supports FIDO2 without Firefox, I use fido2 with sudo, LUKS and ssh keys (gpg as well, but it uses a custom agent). But maybe those use their own custom implementation of the fido protocol?
Didn't really look this up tbh, it just works right now.
This appears to be an alternative to Yubico's `libfido2`. It is software which OTHER software on your computer can use to connect to a FIDO2 authenticator over Bluetooth, USB, etc.
The primary benefit is that Firefox wants Rust-language code for FIDO2 support, so hopefully this library will (eventually) fill that gap and get Firefox-on-Linux to proper FIDO2 Webauthn support.
I bet you're using U2F/FIDO1. Or, more precisely, I bet you're not using CTAP2.
An easy test is to set a PIN on your authenticator, which is an operation that is supported in CTAP2 and unsupported in CTAP1. Does Firefox prompt you for a PIN when you go to authenticate? If no, you're using CTAP1.
My token has a global pin which when o unlock, I can authorise any request with a simple click. But for ssh keys I do have a pin for each one. The websites I've tried never requested for a pin when setting up.
Firefox (only talking about Firefox here) does not use CTAP2, to the best of my knowledge. What you think is "FIDO2" is likely actually U2F/CTAP1. Backwards compatibility with that protocol is part of the FIDO2 spec, but it doesn't enable no-username-provided authentication. LUKS uses libfido2, which supports CTAP2 (and most of CTAP2.1).
> Windows Hello, Android's FIDO2 support, Apple's TouchID and FaceID, are all examples of platform authenticators. There is no reason why the Linux desktop community could not enjoy similar benefits
Don't those platforms all rely on strict sandboxing and code signing, so that funny-dancing-monkey.exe can't rename itself to google-chrome.exe then perform a passwordless sign-on to google.com ?
I always thought this stuff was slow to arrive on Linux because it demands things that are incompatible with the free-software ethos.
Yeah, but that only sandboxes the applications that opt in.
If you want to stop malicious applications from doing malicious things, even when the system owner unwisely grants them permission, you need mandatory sandboxing that the system owner can't bypass.
And that isn't compatible with the free software ethos.
I don't think that's necessarily true. All you need is default-on sandboxing that is "painfully obviously wrong" for the system owner to bypass. As a case in point, look at macOS. You can bypass almost every security feature in macOS by rebooting to recovery and disabling CSR, AMFI and whatnot. And even after disabling all this, touchID will still work, and I believe it will still be accepted as a platform authenticator.
I think something similar could be compatible with free software ethos.
This exactly. Bypassing sandbox should be like installing software from tarball as opposed to package managers: possible but pretty much discouraged, an “escape hatch” of sorts.
There's https://www.sigstore.dev/ - but looks like the focus is on containers mostly (rather than eg refusing to load/exec an untrusted dll or binary).
21 comments
[ 5.9 ms ] story [ 57.9 ms ] threadI already use fido2 on Linux with a hardware key for a while now. So I'm finding this a bit confusing.
Didn't really look this up tbh, it just works right now.
So it's a way to allow stuff to communicate with fido2 capable devices without having any dependency other than this and dbus, nice
The primary benefit is that Firefox wants Rust-language code for FIDO2 support, so hopefully this library will (eventually) fill that gap and get Firefox-on-Linux to proper FIDO2 Webauthn support.
An easy test is to set a PIN on your authenticator, which is an operation that is supported in CTAP2 and unsupported in CTAP1. Does Firefox prompt you for a PIN when you go to authenticate? If no, you're using CTAP1.
Also LUKS does use FIDO2 https://www.freedesktop.org/software/systemd/man/systemd-cry...
Don't those platforms all rely on strict sandboxing and code signing, so that funny-dancing-monkey.exe can't rename itself to google-chrome.exe then perform a passwordless sign-on to google.com ?
I always thought this stuff was slow to arrive on Linux because it demands things that are incompatible with the free-software ethos.
If you want to stop malicious applications from doing malicious things, even when the system owner unwisely grants them permission, you need mandatory sandboxing that the system owner can't bypass.
And that isn't compatible with the free software ethos.
I think something similar could be compatible with free software ethos.
See also some related discussion here:
https://lwn.net/Articles/733431/
FIDO2 should be used more, hopefully more sites end up supporting it sooner rather than later.