fido2support

micmc

@adison said in fido2support:

aw. but it says you need a key, witch i can get as its really easy.

adison

also, i'm curious, how is it hard to implement fido? vaultwarden was able to do it, no problem, i'm curious how cloudron cant

nebulon

as said I didn't look again into that so far. Last time I attempted, I only managed to get it to work on chrome, but not on firefox. The attempt was with the https://www.npmjs.com/package/fido2-lib module back then.

adison

huh weird. it should workd on almost all major browsers, firefox, chrome, etc etc

adison

i found another open source project that can help, built around passkeys.
https://github.com/teamhanko/hanko

simon

Hello,
I just wanted to emphasise that this topic is super important.
Now that all browsers and the big tech giants support the topic, more and more websites are offering passkey as a secure and very convenient authentication method. At the latest after Amazon offers passkey as a password replacement (https://www.theverge.com/2023/10/23/23928589/amazon-passkey-support-web-ios-shopping-mobile-app), the topic has finally arrived on the broad market.

I see two areas of interest for Cloudron here:

1. cloudron apps with keypass (as 2fa or also as 1fa)
2. app for developers such as Hanko.io=> https://forum.cloudron.io/topic/8375/hanko-io-fido2-webauthn-passwordless-login

adison

@simon uh huh.
thanks for supporting this topic.
this is hanko, by the way

adison

another alternative is passwordless.dev, i think

simon

@nebulon maybe because you use Linux? Unfortunately, the support there is still very poor, but it looks much better on other devices. https://www.passkeys.io/compatible-devices

adison

@simon yeah true

adisonverlice2

alright, i'm wondering what improvements have been made sense this topic rolled out.

sponch

Looking forward to it

crazybrad

@adison +1 for passwordless.dev. Looks really interesting. We have been considering implementing passwordless in one of our applications and their generous user allowance makes a powerful business case. Seems to fit the Cloudron culture as well.

adisonverlice2

@crazybrad 1. witch app? and2. that is really coll man. yeah it does. i cant wait to see how this is going to go along with cloudron. not only that, i think it'll give bitwardens passwordless team a head because cloudron is not large, but pretty good in size. if i were you, what i would do is have it to where all the user has to do is give cloudron dashboard the key, then cloudron will do the other stuf unless required on the users end.

crazybrad

@adisonverlice2 We have a proprietary application (not hosted on Cloudron). I have considered using Cloudron as the single source of authentication truth, but for various reasons, I will likely not go in that direction.

adisonverlice2

@crazybrad i see. that is very cool.

adisonverlice2

i just thought of another way to do fido support.
have cloudron users use something like duo security and then login can be done using fido along with other ways cloudron does not natively support.

adisonverlice2

by the way, that link was a link from security now, a podcast i regularly listen to.
here is the official duo security address.
my business has used it before, so i think its pretty good at what it does.

Jarod

Hey!

Just want to push this. Would be cool to add password less authentication to Cloudron

brerlapn

@girish and @nebulon There's another resource like passwordless.dev that is maintained by members of the W3C and FIDO Alliance team that developed passkeys: https://passkeys.dev/ Even if it's tricky to implement passkey support for applications we host in Cloudron, being able to log in to the admin panel with a passkey would be massive as this provides the security of PKI encryption without the overhead nightmare of running a certificate authority.

It includes libraries and guides for thinking through the implementation. Mastodon handles are on the landing page, too, if you have questions. They maintain the site on their own to help orgs looking to adopt passkeys and one of the maintainers is the author of the SimpleWebAuthn (https://github.com/MasterKale/SimpleWebAuthn)

Bitwarden supports passkeys with their iOS mobile app now and in their beta Android app, and 1Password supports them in both mobile apps, so the ecosystem is at a point where there's full cross-platform support (except Linux dammit, but browser-based passkeys will work on Linux) and it's not just iOS or Chrome Password Manager.