lemmy icon indicating copy to clipboard operation
lemmy copied to clipboard

Published 20 hours ago verified publisher icon LemmyNet

WebAuthn/FIDO2

Open n3oney opened this issue 1 year ago • 5 comments

  • [x] Did you check to see if this issue already exists?
  • [x] Is this only a single feature request? Do not put multiple feature requests in one issue.
  • [ ] Is this a question or discussion? Don't use this, use https://lemmy.ml/c/lemmy_support.
  • [ ] Is this a UI / front end issue? Use the lemmy-ui repo.

Describe the feature request below

While simple TOTP 2FA has already been implemented, I wish we could use security keys like the YubiKey for 2FA with WebAuthn. Maybe even going totally passwordless for ease of signing in and even better security?

n3oney avatar Jun 13 '23 06:06 n3oney

While simple TOTP 2FA has already been implemented

It does? Interesting. I don't see a 2fa option in the settings. (My account is on lemmy.world which appears to be running BE: 0.17.4)

JoshuaACasey avatar Jun 14 '23 14:06 JoshuaACasey

It does? Interesting. I don't see a 2fa option in the settings. (My account is on lemmy.world which appears to be running BE: 0.17.4)

Yes, but it's not in a release yet.

n3oney avatar Jun 14 '23 14:06 n3oney

I would also love to see WebAuthn/FIDO2. In my eyes many lemmy users are technical people, FIDO2 could be a plus here.

fxttr avatar Jun 20 '23 12:06 fxttr

Honestly this isn't a "technical people" thing anymore, with IOS (and maybe android) now having full passkey support, even google.com is now passkey... so it's a big win

cchance27 avatar Jul 15 '23 04:07 cchance27

Honestly this isn't a "technical people" thing anymore, with IOS (and maybe android) now having full passkey support, even google.com is now passkey... so it's a big win

I disagree. Since passkeys offers less privacy and security than standard FIDO2(1), there are good arguments for a FIDO2 support to secure my account.

(1) This could get really deep down the tech/spec but basically passkeys offers (optional) extraction of the secret key and upload to the public cloud whereas the secret key in a FIDO2 HW token is almost impossible to extract even with physical access to the token. From my personal point of view: passkeys is a dirty workaround for people who were not able to use FIDO2 and their standard use-cases (token management, backups, ...).

novoid avatar Jul 15 '23 13:07 novoid

WebAuthn/FIDO2 are unphishable. Much superior to TOTP.

ptman avatar Sep 15 '23 09:09 ptman

WebAuthn/FIDO2 are unphishable. Much superior to TOTP.

Yes.

And FIDO2 is much superior to passkeys and all of them (including email or text message PINs) are better than no 2FA at all.

There are use-cases for all of them. FIDO2, for example, doesn't require any expensive hardware token that 99% of people would not like to buy in any case. IMHO, TOTP is a good and privacy-respecting alternative to FIDO2. I'd prefer TOTP over passkeys because of good reasons, for example.

novoid avatar Sep 15 '23 14:09 novoid