AniNIX/Sora: Consider the authentication future with passkey methods
Several major platforms are moving into a model of passkey single sign-on, replacing traditional password & OTP solutions. We should consider this impact and any potential implementation vector for the AniNIX.
The goal for this review should be to ensure users see a unified authentication experience. It should also ensure that authentication engaging with the server should still require at least two of the following three elements:
- Something you know
- Something you are
- Something you have
Most passkey solutions involve an initial private key transmission with the user's primary mobile device, which is parity with TOTP solutions. I have some concern that device exploits that can emulate the device-unlock procedure would reduce this solution to something-you-have authentication, though password leaks in breaches would do the same to password+TOTP authentication.
Today, we use a single password-based solution provided by OpenLDAP under AniNIX/Sora with nominal TOTP support in Gitea under AniNIX/Foundation. At least ostensibly, Gitea can act as a OAuth2 provider, but we haven't tried integrating this out to other services. At least as a minimum, we should try requiring web-facing services be integrated against Gitea as an OAuth2 provider where possible, to take advantage of the TOTP setup.
We could consider replacing OpenLDAP with Authentik or something similar, which would provide LDAP for things that still need password authentication but would also offer a future-forward method for moving towards SAML and OIDC SSO. This would take over the password.aninix.net endpoint.
This should be a long-term project after Ubiqtorate is stabilized.
Deleting a branch is permanent. It CANNOT be undone. Continue?