FIDO U2F/WebAuthn portal

IMHO what is missing as a todo item for the sandbox, is FIDO U2F/WebAuthn abstraction for USB devices.


User story: I, as a user of a flatpak’ed browser, want to be able to login with my cool U2F/WebAuthn keys, because they are very convenient & secure & with increased adoption I may also be able to use a passwordless authentication.

So one could do so when you enable the --device=all permission, but obviously (for isolation/sandboxing reasons, i.e. security reasons) one does not want to expose all USB devices to a browser application.

WebAuthn spec has recently been finalized:

Support for U2F/WebAuthn is available in major browsers like Firefox and Chrome/ium.

Proposed solution

Another special abstraction (and permission) for U2F/WebAuthn access.

Actually, the security and isolation-focused distro Qubes OS does already have developed a model, abstraction and even software that can be used in their distro to abstract that:
source code:

The doc is really worth a read!

So maybe some kind of new portal? Or new permission?

Also discussed at

Other useful links

(sponsored sites, but visibly nice)

Cross-posted from:

(Actually, I requested the idea there first. :smiley: )

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.