yubikey support

[pypingou]

The current code base supports FreeOTP which works fine and is great but the Fedora infrastructure has a number of yubikeys that they have been using for some time.

Is there a possibility to have support for yubikey as well?

In general, we may want to see if we can get the code dealing with 2 factor auth tokens be sort of plugin-based as more 2FA methods/tokens appear on a regular basis and we may end up wanting to support new ones in the future

[abompard]

That mostly depends on whether FreeIPA supports it or not. @tiran , do you know about that?

[tiran]

What kind of yubikey integration are you looking for? HOTP slot? U2F? PIV smart card? YubiCloud validation server?

IPA has the ipa otptoken-add-yubikey client-side command to enrol an yubikey. This will take up one of two slot on the YubiKey and configure it as HOTP.

Fraser wrote a blog post about X.509 / PIV smart card the more expensive yubikeys, https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html

YubiRADIUS is no longer supported by Yubico.

I'm not aware of any solution for FreeIPA that integrates with YubiCloud validation service.

FreeIPA does not yet support U2F.

[abbra]

U2F support ticket is tracked in https://pagure.io/freeipa/issue/6632. You may want to read disussion details there. For browser part, there is now Ipsilon ticket https://pagure.io/ipsilon/issue/315 as well.

[nirik]

I would love u2f/webauthn support, it's vastly more user friendly for users, and just better all around.

Even if we can't implement it now in noggin, we should definitely try and do so as soon as support lands in ipa.

Other than that we currently have HOTP slot support for yubikeys in fas2. I guess we could try and keep that in noggin, but if u2f/webauthn is going to come soon I would personally be ok not bothering with HOTP and just doing that.

[ryanlerch]

Marking this as unconfirmed, as we aren't 100% sure how to proceed on this one.

[nirik]

So, IMHO:

1. We should try and support yubikey HOTP since U2F is likely to take a while. To do this we need to look at what ipa otptoken-add-yubikey does and needs and emulate / get noggin to do that. I'm not sure whats involved, but it should be possible.

2. Longer term as soon as U2F is supported we should add that support to noggin too.

[Mikaela]

Does this issue include passkeys as a part of webauthn? I rediscovered this issue by the latter keyword as they were mentioned in #579 (comment) and I would like to use them for login (especially on computer and iPhone where Bitwarden supports them well, my Android is too old for now).

[abbra]

On FreeIPA side we now have support of FIDO2 USB/NFC tokens through libfido2 in Kerberos. This does not include webauthn through the web browser yet, thus one cannot use the tokens defined for FreeIPA users through the browsers. We will get to that 'soon'.
So to answer to @Mikaela, no those aren't supported yet.

[iSaluki]

Passkeys seem to be rolling out quite quickly at the moment, with major password managers, browsers and operating systems all introducing compatibility (if it wasn't already there). In light of that, WebAuthn support is likely something that will be in higher demand in the near future.