2FA: FIDO / U2F / yubikey support #2792
Replies: 9 comments
-
|
We welcomed your patch for this. |
Beta Was this translation helpful? Give feedback.
-
|
The existing rails plugin for fido / u2f is GPL3 licenced; will that be
compatible with this projects licencing requirements?
…On 4/5/19 4:45 PM, SHIBATA Hiroshi wrote:
We welcomed your patch for this.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1948 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAC5RlM2UXH4tARWL9FGlqvnlfewiCB3ks5vduMXgaJpZM4ceK41>.
|
Beta Was this translation helpful? Give feedback.
-
|
Not sure which plugin you're referring to, but as an alternative https://github.com/cedarcode/webauthn-ruby is MIT licensed just like this project itself. For command line https://github.com/sorah/clarion might be a solution, which uses the same gem. |
Beta Was this translation helpful? Give feedback.
-
|
Webauthn is the previous spec; new keys use FIDO. There's https://github.com/castle/ruby-u2f (MIT licence) and https://github.com/TwoFactorAuth/ruby (AGPL3 / commercial licence). My gut feeling is that the latter is easier to integrate, though I could be wrong. |
Beta Was this translation helpful? Give feedback.
-
You're mixing a few things up. U2F was added to Chrome 38 in 2014, the FIDO Alliance submitted FIDO 2.0 APIs to the W3C in 2015 for standardization, which happened last month when WebAuthn became a W3C standard. The spec specifically mentions backwards compatibility with U2F. FIDO 2.0 comprises of WebAuthn as the browser API and Client To Authenticator Protocol for communicating with CTAP1 (U2F) and CTAP2 hardware. |
Beta Was this translation helpful? Give feedback.
-
So U2F will become legacy? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, but U2F remains supported. A big reason for the new API and CTAP2 hardware is that it besides being used as a second factor, it makes a secure multifactor passwordless login experience possible, by way of resident keys and testing for user verification (instead of just user presence). E.g. the Feitian Biopass FIDO2 would show something you have and something you are, but it could also be your Android smartphone. |
Beta Was this translation helpful? Give feedback.
-
|
Prototype for this: #2108. |
Beta Was this translation helpful? Give feedback.
-
|
This seems already implemented by #2865. |
Beta Was this translation helpful? Give feedback.
-
The current two-factor auth implementation only supports OTP (google authenticator) codes.
I'd like to also support physical keys that implement the FIDO standard (eg current-gen yubikeys), since that way I can recover my account if I lose my phone.
Has this come up anywhere else? The current design might need some tweaking as I'm unsure whether there is a nice way to use these on the command line.
Beta Was this translation helpful? Give feedback.
All reactions