twofactor_webauthn icon indicating copy to clipboard operation
twofactor_webauthn copied to clipboard

Published 20 hours ago verified publisher icon bartnv

Supporting WebAuthn as single factor auth

Open Technikte opened this issue 4 years ago • 5 comments

Is it possible to do a 1FA Auth with a security key, without using an password. My idea would as an example i an untrused env where keypresses could be logged/captured.

1FA: Authenticator, activation by tapping and then logging in. Replaces the password with a single factor, the ownership of the authenticator.

Technikte avatar Jan 13 '21 20:01 Technikte

I agree there are scenarios where that is useful. I don't think it would be difficult to add, but I think it should be a decision for the server admin whether to allow or not. So that would mean we need to add a config.inc.php to the plugin. I'll give it some though.

Mind you, you'll still need to enter your username, otherwise Roundcube doesn't know which account to check. Nextcloud has a similar setup, where you can either enter your password or activate your security key.

bartnv avatar Jan 13 '21 22:01 bartnv

Alright, thanks in advance for your time to think about this. Yes, I agree with you...since I use in my test env at the moment only my email adress + imap password, it would be pretty critical if somene gets the imap password. I still need to figure out how to use useraccounts not based not imap details and then username + key would be fine.

Technikte avatar Jan 14 '21 15:01 Technikte

It's a complicated thing because Roundcube needs the user's password to be able to login to the IMAP server. We'd have to store the password encrypted either in the Roundcube database or in a cookie. I use a persistent login plugin (https://github.com/mfreiholz/persistent_login) that does something similar, but unfortunately it's not part of Roundcube itself so we can't rely on it being available. I could make it a dependency but then again not every admin will want the "keep me logged in" functionality.

bartnv avatar Jan 14 '21 16:01 bartnv

Yeah, I noticed when I tried that the "new_user_dialog" plugin doenst create new user based on a username + password. So the first login should or would be always in a secure env with email adress + imap pasword and in that session the person could set up a security key for all logins after that. These would be then done without the needed password. This would work for me too, I kinda share the feeling..that I am not quite sure if I want to stay logged in.

Technikte avatar Jan 14 '21 16:01 Technikte

I'm marking this wontfix for now. If circumstances change, like Roundcube natively supporting persistent login, then I'm willing to re-evaluate this.

bartnv avatar Jun 14 '21 17:06 bartnv