FIDO U2F/WebAuthn abstraction/permission/portal/…

[rugk]

IMHO what is missing as a todo item for the sandbox, is FIDO U2F/WebAuthn abstraction for USB devices.

Problem

User story: I, as a user of a flatpak'ed browser, want to be able to login with my cool U2F/WebAuthn keys, because they are very convenient & secure & with increased adoption I may also be able to use a passwordless authentication.

So one could do so when you enable the --device=all permission, but obviously (for isolation/sandboxing reasons, i.e. security reasons) one does not want to expose all USB devices to a browser application.

WebAuthn spec has recently been finalized: https://www.w3.org/TR/webauthn/

Support for U2F/WebAuthn is available in major browsers like Firefox and Chrome/ium.

Proposed solution

Another special abstraction (and permission) for U2F/WebAuthn access.

Actually, the security and isolation-focused distro Qubes OS does already have developed a model, abstraction and even software that can be used in their distro to abstract that: https://www.qubes-os.org/doc/u2f-proxy/
source code: https://github.com/QubesOS/qubes-app-u2f

The doc is really worth a read!

So maybe some kind of new portal? Or new permission?

Also discussed at

• GitHub of the experimental inofficial Firefox flatpaks, see U2F support. xhorak/firefox-devedition-flatpak#51 Add usb devices access, to allow Firefox to log-in with U2F xhorak/firefox-devedition-flatpak#87 Support USB dongles (U2F/WebAuthn) xhorak/firefox-devedition-flatpak#95
• Fedora Discourse regarding Fedora Silverblue: Support USB dongles (U2F/WebAuthn) xhorak/firefox-devedition-flatpak#95

Other useful links

https://en.wikipedia.org/wiki/Universal_2nd_Factor
https://en.wikipedia.org/wiki/WebAuthn

(sponsored sites, but visibly nice)
https://webauthn.guide/
https://webauthn.io/

[rugk]

Any official reply? Are you evaluating this or what?

4 users have already upvoted this, and the issues that it causes come up again and again. And as I think the prevalence of WebAuthn/hardware keys or similar will only increase in the future, this topic/problem will likely come up/get bigger again and again.

[rugk]

Cross-posted to the GNOME Discourse forum.

[TingPing]

Since you seem quite passionate about this portal its likely going to come down to implementing it yourself.

[rugk]

If you look at https://github.com/QubesOS/qubes-app-u2f you'll see this may certainly not be easy.

[TingPing]

I did glance over it and yeah it is very complex. I'm not super familiar with U2F but it seems deeply tied to USB which makes things harder.

[swick]

I'm also interested but have not looked much into it. Does the browser have to use the CTAP spec? Can we not "just" have a daemon on the host talking CTAP with the devices and expose a simpler, more WebAuth-like API through a portal?

[ueno]

Hi Sebastian, that sounds reasonable. I have recently been working with a student who is trying to expose CTAP2 through D-Bus for similar purposes, and asked the developer of authenticator-rs about the possibility of future integration; adding it as an alternative transport seems to be an option, once the multiple transport support is implemented in the library.

That said, we haven't even figured out how the D-Bus protocol would look like. Perhaps we could collaborate on the design and implementation? :-)

[rugk]

BTW with the official release of a Firefox flatpak on Flathub, this is getting much more important now. 😃

[barthalion]

At the moment it works as long as you have udev rules for your U2F device installed on the host. Firefox uses --device=all and my Yubikey works fine that way.

[WayeeCool]

Came here because I gave the official release of Firefox for Flapak a try only to discover that U2F and webauth are broken with zero plans for a fix. I am seriously disappointed and rather surprised to see core Gnome and Flatpak devs dismissively claiming that this is not a critical feature for Flatpak to be considered usable for mainstream desktop use.

The "efff off" answer to bug reports and feature request on this topic rather than maybe suggesting a feature bounty, really says something about the management of the Flatpak project and probably shines light on the platforms adoption issues. How can Flatpak's developers argue that Flakpak is better than traditional methods of application distribution "because it promotes security" when they are also claiming security critical application features such as U2F/webauth have no place?

[swick]

That said, we haven't even figured out how the D-Bus protocol would look like. Perhaps we could collaborate on the design and implementation? :-)

I'm afraid that I can't help much with that without diving into the protocols but it should not be too hard when you already have a solid, simple C interface.