FIDO integration

[nilsholle]

Yubico provides a library for integrating FIDO (two factor) authentication in Python applications, see here: https://github.com/Yubico/python-fido2/tree/master/examples/server. I think this could greatly enhance security in SampleDB (and allow for much shorter passwords). What are your general thoughts on this?

A second and similar addition might be time-based one-time passwords (TOTP), but I haven't looked into existing solutions for this yet.

[FlorianRhiem]

Hey @nilsholle,

I'm open to something like this, as two factor authentication is definitely useful. I haven't used a U2F/FIDO2 based authenticator yet and don't have any experience with supporting them in a web service, so I might not be the best person to implement this, but a pull request for this would definitely be welcome.

Looking at FIDO and the Web Authentication API, I think it could be implemented as another authentication option (the passwordless FIDO variant), and/or SampleDB could be extended with support for various two factor authentication methods, with the Web Authentication API being the first of those, so users would be able to sign in using any authentication method they have active and would then need to use the Web Authentication API as the second factor (if enabled / set up). I don't know yet how something like this could work for authentication for the HTTP API, though my guess is that it won't work particularly well. However, users with two factor auth are likely not the (bot) users using the HTTP API, so that shouldn't be an issue.

If you'd be able to handle the FIDO/U2F/WebAuthentication related code, I could set up the basic infrastructure for two factor authentication methods.

[nilsholle]

Hi,
Thanks for the positive feedback! I haven't implemented FIDO in other applications myself, but looking at the example, I think I should be able to handle this. I would be very happy if you could set up the basic infrastructure for two-factor authentication. If I see correctly, this part would also have to come first, am I right? At least storage of the FIDO credentials would have to be ready first.

[nilsholle]

Of course things would be a little different if FIDO would be used as an alternative to the login via password and not as a second factor... personally, I would be open to both.

[FlorianRhiem]

I have implemented the basic infrastructure for two factor authentication (in commit f1b9a38) along with a TOTP-based two factor authentication method (in commits 39960a0 and a6cf095). You can use those changes as an example of what you will need to do to implement the WebAuth / FIDO / U2F based method.

If you have any questions, let me know.

[FlorianRhiem]

I have implemented the use of FIDO2 passkeys for two-factor authentication or (if enabled by an admin) as a standalone authentication method in the current development version.