AniNIX/Sora: Consider the authentication future with passkey methods #20

New Issue

DarkFeather · 2022-10-13T01:00:39-05:00

DarkFeather commented

2022-10-13 01:00:39 -05:00

Several major platforms are moving into a model of passkey single sign-on, replacing traditional password & OTP solutions. We should consider this impact and any potential implementation vector for the AniNIX.

The goal for this review should be to ensure users see a unified authentication experience. It should also ensure that authentication engaging with the server should still require at least two of the following three elements:

Something you know
Something you are
Something you have

Most passkey solutions involve an initial private key transmission with the user's primary mobile device, which is parity with TOTP solutions. I have some concern that device exploits that can emulate the device-unlock procedure would reduce this solution to something-you-have authentication, though password leaks in breaches would do the same to password+TOTP authentication.

Today, we use a single password-based solution provided by OpenLDAP under AniNIX/Sora with nominal TOTP support in Gitea under AniNIX/Foundation. At least ostensibly, Gitea can act as a OAuth2 provider, but we haven't tried integrating this out to other services. At least as a minimum, we should try requiring web-facing services be integrated against Gitea as an OAuth2 provider where possible, to take advantage of the TOTP setup.

We could consider replacing OpenLDAP with Authentik or something similar, which would provide LDAP for things that still need password authentication but would also offer a future-forward method for moving towards SAML and OIDC SSO. This would take over the password.aninix.net endpoint.

This should be a long-term project after Ubiqtorate is stabilized.

Several major platforms are moving into a model of passkey single sign-on, replacing traditional password & OTP solutions. We should consider this impact and any potential implementation vector for the AniNIX. The goal for this review should be to ensure users see a unified authentication experience. It should also ensure that authentication engaging with the server should still require at least two of the following three elements: 1. Something you know 1. Something you are 1. Something you have Most passkey solutions involve an initial private key transmission with the user's primary mobile device, which is parity with TOTP solutions. I have some concern that device exploits that can emulate the device-unlock procedure would reduce this solution to something-you-have authentication, though password leaks in breaches would do the same to password+TOTP authentication. Today, we use a single password-based solution provided by OpenLDAP under AniNIX/Sora with nominal TOTP support in Gitea under AniNIX/Foundation. At least ostensibly, Gitea can act as a OAuth2 provider, but we haven't tried integrating this out to other services. At least as a minimum, we should try requiring web-facing services be integrated against Gitea as an OAuth2 provider where possible, to take advantage of the TOTP setup. We could consider replacing OpenLDAP with [Authentik](https://goauthentik.io/docs/) or something similar, which would provide LDAP for things that still need password authentication but would also offer a future-forward method for moving towards SAML and OIDC SSO. This would take over the password.aninix.net endpoint. This should be a long-term project after Ubiqtorate is stabilized.

DarkFeather added the

RFC

On-hold

labels 2022-10-13 01:00:39 -05:00

DarkFeather self-assigned this 2022-10-13 01:00:39 -05:00

DarkFeather added this to the Kanban project 2022-10-13 01:00:39 -05:00

DarkFeather removed their assignment 2023-04-18 14:53:02 -05:00

Sign in to join this conversation.