AniNIX/Sora: Consider the authentication future with passkey methods #20

Open
opened 4 months ago by DarkFeather · 0 comments
Owner

Several major platforms are moving into a model of passkey single sign-on, replacing traditional password & OTP solutions. We should consider this impact and any potential implementation vector for the AniNIX.

The goal for this review should be to ensure users see a unified authentication experience. It should also ensure that authentication engaging with the server should still require at least two of the following three elements:

  1. Something you know
  2. Something you are
  3. Something you have

Most passkey solutions involve an initial private key transmission with the user's primary mobile device, which is parity with TOTP solutions. I have some concern that device exploits that can emulate the device-unlock procedure would reduce this solution to something-you-have authentication, though password leaks in breaches would do the same to password+TOTP authentication.

Today, we use a single password-based solution provided by OpenLDAP under AniNIX/Sora with nominal TOTP support in Gitea under AniNIX/Foundation. At least ostensibly, Gitea can act as a OAuth2 provider, but we haven't tried integrating this out to other services. At least as a minimum, we should try requiring web-facing services be integrated against Gitea as an OAuth2 provider where possible, to take advantage of the TOTP setup.

We could consider replacing OpenLDAP with Authentik or something similar, which would provide LDAP for things that still need password authentication but would also offer a future-forward method for moving towards SAML and OIDC SSO. This would take over the password.aninix.net endpoint.

This should be a long-term project after Ubiqtorate is stabilized.

Several major platforms are moving into a model of passkey single sign-on, replacing traditional password & OTP solutions. We should consider this impact and any potential implementation vector for the AniNIX. The goal for this review should be to ensure users see a unified authentication experience. It should also ensure that authentication engaging with the server should still require at least two of the following three elements: 1. Something you know 1. Something you are 1. Something you have Most passkey solutions involve an initial private key transmission with the user's primary mobile device, which is parity with TOTP solutions. I have some concern that device exploits that can emulate the device-unlock procedure would reduce this solution to something-you-have authentication, though password leaks in breaches would do the same to password+TOTP authentication. Today, we use a single password-based solution provided by OpenLDAP under AniNIX/Sora with nominal TOTP support in Gitea under AniNIX/Foundation. At least ostensibly, Gitea can act as a OAuth2 provider, but we haven't tried integrating this out to other services. At least as a minimum, we should try requiring web-facing services be integrated against Gitea as an OAuth2 provider where possible, to take advantage of the TOTP setup. We could consider replacing OpenLDAP with [Authentik](https://goauthentik.io/docs/) or something similar, which would provide LDAP for things that still need password authentication but would also offer a future-forward method for moving towards SAML and OIDC SSO. This would take over the password.aninix.net endpoint. This should be a long-term project after Ubiqtorate is stabilized.
DarkFeather added the
RFC
On-hold
labels 4 months ago
DarkFeather self-assigned this 4 months ago
DarkFeather added this to the Kanban project 4 months ago
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.