FIDO U2F/WebAuthn portal

IMHO what is missing as a todo item for the sandbox, is FIDO U2F/WebAuthn abstraction for USB devices.

Problem

User story: I, as a user of a flatpak’ed browser, want to be able to login with my cool U2F/WebAuthn keys, because they are very convenient & secure & with increased adoption I may also be able to use a passwordless authentication.

So one could do so when you enable the --device=all permission, but obviously (for isolation/sandboxing reasons, i.e. security reasons) one does not want to expose all USB devices to a browser application.

WebAuthn spec has recently been finalized: https://www.w3.org/TR/webauthn/

Support for U2F/WebAuthn is available in major browsers like Firefox and Chrome/ium.

Proposed solution

Another special abstraction (and permission) for U2F/WebAuthn access.

Actually, the security and isolation-focused distro Qubes OS does already have developed a model, abstraction and even software that can be used in their distro to abstract that: https://www.qubes-os.org/doc/u2f-proxy/
source code: https://github.com/QubesOS/qubes-app-u2f

The doc is really worth a read!

So maybe some kind of new portal? Or new permission?

Also discussed at

Other useful links


(sponsored sites, but visibly nice)


https://webauthn.io/


Cross-posted from:

(Actually, I requested the idea there first. :smiley: )