ladybird icon indicating copy to clipboard operation
ladybird copied to clipboard
Published 3 weeks ago verified publisher icon LadybirdBrowser

FIDO2 Authentication

Open r4gus opened this issue 1 year ago • 5 comments

Hi,

I don't know what your stance is in regards to FIDO2 authentication (also marketed as Passkey) but I wanted to ask if there is a general interest in adding support at some point in the future and offer my help.

I've experience with implementing the FIDO stack (at least the client and authenticator parts; https://github.com/r4gus/keylib) and I really like the idea of a "truly independent web browser".

At a higher level, adding (full) support for FIDO2 would include:

  • Support for navigator.credentials.create and navigator.credentials.get
  • Support for the CTAP2 protocol with the following transport specific bindings: USB, NFC, and BLE
  • Support for the macOS passkey API (macOS, Windows, Android all have their own (proprietary) passkey APIs)
  • Some debug mechanism for developers similar to chrome://device-log/

Let me know what you think.

Sincerely. David

r4gus avatar Jul 21 '24 13:07 r4gus

Would there be any similarities In building a form filling service?

maceip avatar Aug 01 '24 22:08 maceip

Yes, this is kind of the same domain. The shared goal is to automatically select a credential from a set (e.g., KDBX4 password database) for a relying party. The difference is that for fido2 you have a specification that defines how the browser and a credential store (e.g. Yubikey) have to communicate with each other and the browser itself provides Js functions for invoking the discovery of credentials, as well as the creation of new credentials. For filling services you usually install a plugin that interacts with something like a password manager (e.g. KeePassXC), i.e., it's not as deeply embedded into a browser.

r4gus avatar Aug 02 '24 09:08 r4gus

As someone who knows roughly nothing about passkeys, I think it's something we'll want/need eventually. If you're interested in working on it, go ahead! :^)

You might want to discuss it a bit on Discord though to see what's actually involved and where we are with any supporting code.

AtkinsSJ avatar Sep 09 '24 13:09 AtkinsSJ

It's undoubtedly true that webauthn is the coolest thing since sliced bread; what's most unfortunate is the implementation surface area is large.. partly in my view because it's the last bastion for the old guard, they're grasping at the specification as a last resort (ie.g., SPC, FCM)

But a good form filler ? A good form filler Is worth its weight in gold and should be way easier to ship.. Plus it has universal applicability.

whatever you choose I'd like to support it, so tag me in the future pr(s) 🌐

maceip avatar Sep 12 '24 09:09 maceip

@AtkinsSJ correct me if I'm wrong but the long term goal is to switch to Swift with the release of Swift 6. So I think the best way for now is to (partially) implement a CTAP2 client in Swift 6 and then come back when I have something to show.

r4gus avatar Sep 19 '24 09:09 r4gus

i might start working on the credentials api to begin with. i doubt ill get far though

sakgoyal avatar Oct 21 '24 02:10 sakgoyal