AniNIX/Sora: Consider the authentication future with passkey methods #20

创建工单

DarkFeather · 2022-10-13T01:00:39-05:00

DarkFeather 评论于

2022-10-13 01:00:39 -05:00

管理员

Several major platforms are moving into a model of passkey single sign-on, replacing traditional password & OTP solutions. We should consider this impact and any potential implementation vector for the AniNIX.

The goal for this review should be to ensure users see a unified authentication experience. It should also ensure that authentication engaging with the server should still require at least two of the following three elements:

Something you know
Something you are
Something you have

Most passkey solutions involve an initial private key transmission with the user's primary mobile device, which is parity with TOTP solutions. I have some concern that device exploits that can emulate the device-unlock procedure would reduce this solution to something-you-have authentication, though password leaks in breaches would do the same to password+TOTP authentication.

Today, we use a single password-based solution provided by OpenLDAP under AniNIX/Sora with nominal TOTP support in Gitea under AniNIX/Foundation. At least ostensibly, Gitea can act as a OAuth2 provider, but we haven't tried integrating this out to other services. At least as a minimum, we should try requiring web-facing services be integrated against Gitea as an OAuth2 provider where possible, to take advantage of the TOTP setup.

We could consider replacing OpenLDAP with Authentik or something similar, which would provide LDAP for things that still need password authentication but would also offer a future-forward method for moving towards SAML and OIDC SSO. This would take over the password.aninix.net endpoint.

This should be a long-term project after Ubiqtorate is stabilized.

Several major platforms are moving into a model of passkey single sign-on, replacing traditional password & OTP solutions. We should consider this impact and any potential implementation vector for the AniNIX. The goal for this review should be to ensure users see a unified authentication experience. It should also ensure that authentication engaging with the server should still require at least two of the following three elements: 1. Something you know 1. Something you are 1. Something you have Most passkey solutions involve an initial private key transmission with the user's primary mobile device, which is parity with TOTP solutions. I have some concern that device exploits that can emulate the device-unlock procedure would reduce this solution to something-you-have authentication, though password leaks in breaches would do the same to password+TOTP authentication. Today, we use a single password-based solution provided by OpenLDAP under AniNIX/Sora with nominal TOTP support in Gitea under AniNIX/Foundation. At least ostensibly, Gitea can act as a OAuth2 provider, but we haven't tried integrating this out to other services. At least as a minimum, we should try requiring web-facing services be integrated against Gitea as an OAuth2 provider where possible, to take advantage of the TOTP setup. We could consider replacing OpenLDAP with [Authentik](https://goauthentik.io/docs/) or something similar, which would provide LDAP for things that still need password authentication but would also offer a future-forward method for moving towards SAML and OIDC SSO. This would take over the password.aninix.net endpoint. This should be a long-term project after Ubiqtorate is stabilized.

DarkFeather 于 2022-10-13 01:00:39 -05:00 添加了标签

RFC

On-hold

DarkFeather 于 2022-10-13 01:00:39 -05:00 指派给自己

DarkFeather 将此添加到 Kanban 项目 2022-10-13 01:00:39 -05:00

DarkFeather 于 2023-04-18 14:53:02 -05:00 取消了指派

登录并参与到对话中。