-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for U2F Two-Factor-Auth #562
Comments
It looks like u2f could be integrated fairly easily using this library. I sadly don't have enough experience with ruby to do it :( |
We should implement Web Authentication API (webauthn) instead of FIDO U2F. It will be supported by all major browsers soon. FIDO is being deprecated and was supported officially only by Google Chrome. |
Fido U2F is supported by Chrome, Firefox and Opera. Many site besides Google use U2F as a second factor option including Github. Support for a 2fa doesn't exclude the use of other 2fa's. So yes I would like to see U2F support too. I am not able to help with the coding but can help with testing. |
@eddydevink Fido U2F was experimentally supported in old versions of Firefox Nightly, but it has been abandoned in favor of Web Authentication standard (see about:config). Chromium (and its variants, eg. Chrome and Opera) is working on it too (see chrome://flags). FIDO was officially only supported by Chromium and probably will be deprecated soon. AFAIK the only difference in implementation is the client-side (JS) API. People who want to work on this task definitely should read the specification. It looks that this is a relatively easy task. |
According to W3C's WebAuthn spec, they will provide backward compatibility with FIDO U2F. So I think we should focus on implementing WebAuthn. I used WebAuthn demo in my browser, and it works fine with FIDO U2F. |
Love to see this implemented, however I agree that we should rather aim for WebAuthn instead of "just" U2F. |
I agree that WebAuthn is an easy-to-implement and high utility option for login security. I'd definitely like to see it implemented as an option. Twitter supports it, but last I saw only allowed a single U2F device to be associated with any given account (a totally artificial limitation). If implemented, please keep in mind that some users will prefer to associate multiple U2F devices. |
Any followups to this? I would really love to see this implemented in Mastodon but have no experience in Ruby 😞 . |
Any input/perspectives from the dev(s) on this? Really needed. |
We currently use devise-two-factor (https://github.com/tinfoil/devise-two-factor) to provide 2fa. Adding u2f would be really really nice but it's probably too complex for us to implement separately, we'd need to add it as an option to devise-two-factor. It looks like noone has requested this feature there yet—the first step is probably to open an issue on that repository and see what the devs there think. |
FYI - Related feature request: |
For what it's worth, there's a Ruby implementation of server-side WebAuthn here, if it can be used directly or incorporated into Devise-Two-Factor. https://github.com/cedarcode/webauthn-ruby Echoing the earlier comments about WebAuthn (aka FIDO2), I recommend this issue be renamed to |
WebAuthn is technically implemented, right? So this issue can be closed, and new issues can be raised as they are discovered? |
It is and it was awesome when I accidentally discovered that feature! 🙃 👍 |
Now that there's TOTP 2FA support in the latest version of Mastodon, I'd love to see U2F Support, e.g. for the Yubikey :-) There are not many applications supporting U2F yet, but Mastodon could be an example of such a modern, secure app.
U2F is already supported be Google Chrome / Chromium and Mozilla Firefox (with U2F addon).
Thanks for offering TOTP support - maybe U2F can be the next step?
The text was updated successfully, but these errors were encountered: