matrix-spec-proposals icon indicating copy to clipboard operation
matrix-spec-proposals copied to clipboard

Published 20 hours ago verified publisher icon matrix-org

MSC1998: Two-Factor Authentication Providers

Open cyphar opened this issue 6 years ago • 11 comments

Rendered

Implements: #1997 Signed-off-by: Aleksa Sarai [email protected]

cyphar avatar May 14 '19 04:05 cyphar

@cyphar I've flagged this as ready to review. If that's incorrect, please let me know.

I haven't ready the whole thing yet, but the detail is massively appreciated!

turt2live avatar May 14 '19 06:05 turt2live

I hope I didn't go overboard, I ended up copying the structure of the actual spec docs but maybe I should've been a bit more terse?

cyphar avatar May 14 '19 07:05 cyphar

@turt2live I've made the corrections you mentioned. One thing with using DELETE is that now it makes slightly less semantic sense to disable only some of the two-factor providers (then again, POST /disable is quite a bit uglier). If only there was a DELETE-PATCH. :wink:

cyphar avatar Jun 12 '19 15:06 cyphar

@dainnilsson please move your comments to threads on the diff so people can reply.

turt2live avatar Jan 13 '20 18:01 turt2live

@dainnilsson please move your comments to threads on the diff so people can reply.

Done!

dainnilsson avatar Jan 14 '20 09:01 dainnilsson

Any updates on this? I would like to have this merged as I would love to use WebAuthn as second factor when authenticating.

warriorzz avatar Apr 23 '22 15:04 warriorzz

Same question.

Any updates on this? I would like to have this merged as I would love to use WebAuthn as second factor when authenticating.

shoqvalue avatar May 29 '22 22:05 shoqvalue

I haven't had much time to review this after I first posted it. It is still a feature I'd like (I still use Matrix daily and wish we'd have 2FA) but it seems that WebAuthn would require a more flexible design than the pretty basic one I came up with here -- this feature would almost certainly turn out better if it's handled by someone with more experience dealing with authentication.

cyphar avatar May 30 '22 06:05 cyphar

Isn't this work effectively overshadowed by the OIDC initiative the matrix foundation is currently following?

From what I know, it'd essentially move authentication to somewhere else, which then has to implement webauthn instead. (The focus being that, by default, a server will use matrix-authentication-service as an internal OIDC provider, which already has an issue open about this: https://github.com/matrix-org/matrix-authentication-service/issues/18)

ShadowJonathan avatar Sep 30 '22 16:09 ShadowJonathan

yes, OIDC would obviate the need for this. For now we'll keep it open until we are fully committed to OIDC.

richvdh avatar Oct 03 '22 10:10 richvdh