rugk
September 7, 2019, 2:10pm
1
IMHO what is missing as a todo item for the sandbox , is FIDO U2F/WebAuthn abstraction for USB devices.
User story: I, as a user of a flatpak’ed browser, want to be able to login with my cool U2F/WebAuthn keys, because they are very convenient & secure & with increased adoption I may also be able to use a passwordless authentication.
So one could do so when you enable the --device=all permission , but obviously (for isolation/sandboxing reasons, i.e. security reasons) one does not want to expose all USB devices to a browser application.
WebAuthn spec has recently been finalized: Web Authentication: An API for accessing Public Key Credentials - Level 2
Support for U2F/WebAuthn is available in major browsers like Firefox and Chrome/ium.
Another special abstraction (and permission) for U2F/WebAuthn access.
Actually, the security and isolation-focused distro Qubes OS does already have developed a model, abstraction and even software that can be used in their distro to abstract that: Redirecting… GitHub - QubesOS/qubes-app-u2f
The doc is really worth a read!
So maybe some kind of new portal? Or new permission?
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).
While initially developed by Google and Yubico, with contribution from NXP ...
Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials (which are themselves FIDO credentials) are sometimes referred to as passkeys.
On the client side, support for WebAuthn can be implemented...
(sponsored sites, but visibly nice)
Cross-posted from:
opened 11:23AM - 19 Mar 19 UTC
new portals
IMHO [what is missing as a todo item for the sandbox](https://github.com/flatpak… /flatpak/wiki/Sandbox#host-changes-needed), is FIDO U2F/WebAuthn abstraction for USB devices.
### Problem
**User story:** I, as a user of a flatpak'ed browser, want to be able to login with my cool U2F/WebAuthn keys, because they are very convenient & secure & with increased adoption I may also be able to use a passwordless authentication.
So one could do so when you [enable the `--device=all` permission](https://github.com/xhorak/firefox-devedition-flatpak/issues/51#issuecomment-345967459), but obviously (for isolation/sandboxing reasons, i.e. security reasons) one does not want to expose all USB devices to a browser application.
WebAuthn spec has recently been finalized: https://www.w3.org/TR/webauthn/
Support for U2F/WebAuthn is available in major browsers like Firefox and Chrome/ium.
### Proposed solution
Another special abstraction (and permission) for U2F/WebAuthn access.
Actually, the security and isolation-focused distro Qubes OS does already have developed a model, abstraction and even software that can be used in their distro to abstract that: https://www.qubes-os.org/doc/u2f-proxy/
source code: https://github.com/QubesOS/qubes-app-u2f
The doc is really worth a read!
So maybe some kind of new portal? Or new permission?
### Also discussed at
* GitHub of the experimental inofficial Firefox flatpaks, see https://github.com/xhorak/firefox-devedition-flatpak/issues/51 https://github.com/xhorak/firefox-devedition-flatpak/issues/87 https://github.com/xhorak/firefox-devedition-flatpak/issues/95
* Fedora Discourse regarding Fedora Silverblue: https://github.com/xhorak/firefox-devedition-flatpak/issues/95
### Other useful links
https://en.wikipedia.org/wiki/Universal_2nd_Factor
https://en.wikipedia.org/wiki/WebAuthn
(sponsored sites, but visibly nice)
https://webauthn.guide/
https://webauthn.io/
(Actually, I requested the idea there first.
system
October 28, 2020, 3:40pm
2
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
)