MSC1998: Two-Factor Authentication Providers

[cyphar]

Rendered

Implements: #1997
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

---

SCT Stuff:

FCP closure tickyboxes

No MSC checklist.

[turt2live]

@cyphar I've flagged this as ready to review. If that's incorrect, please let me know.

I haven't ready the whole thing yet, but the detail is massively appreciated!

[cyphar]

I hope I didn't go overboard, I ended up copying the structure of the actual spec docs but maybe I should've been a bit more terse?

[turt2live]

looking pretty good so far!

[cyphar]

@turt2live I've made the corrections you mentioned. One thing with using DELETE is that now it makes slightly less semantic sense to disable only some of the two-factor providers (then again, POST /disable is quite a bit uglier). If only there was a DELETE-PATCH. 😉

[turt2live]

turns out I can't read, as vdh points out these should be two_factor: #1998 (comment)

[turt2live]

@dainnilsson please move your comments to threads on the diff so people can reply.

[dainnilsson]

Some 2FA credential variants will require more round-trips to set up, for example WebAuthn (https://www.w3.org/TR/webauthn/). Does this endpoint allow for that? For example, when setting up a credential the client needs to first get a challenge, and then provide a response based on that challenge to the server. Potentially other protocols might require even more round-trips to complete.

Likewise for TOTP, it's common that as part of credential registration the server requires a valid OTP for the new credential before activating it, to make sure the client has correctly received and supports the parameters used. Perhaps this should be part of the m.login.two-factor.totp registration flow?

[cyphar]

Perhaps I'm misunderstanding WebAuthn (and I'd love to hear more about it -- I've only interacted with the first-gen FIDO stuff very superficially), isn't it intended to replace passwords as one of the factors of authentication (rather than being an alternative MFA mechanism)? If so, then adding a new login flow (separate to this proposal) would seem to be a better path forward to have WebAuthn supported in Matrix.

But I think you're right that the current design of Matrix's login flow system doesn't allow for multiple ping-pongs between clients and servers. You'd need to create separate login stages (which seems to me to be a little bit scary since forgetting to include a login flow step means that the authentication would succeed if I understand how it works correctly).

Perhaps this should be part of the m.login.two-factor.totp registration flow?

Yes it probably should be, and all MFA registration flows I can think of work that way...

[ptman]

WebAuthn can be used in several ways. Also as single factor. But I believe most common is to use instead of SMS or TOTP codes as second factor.

[dainnilsson]

One other consideration is that a single 2FA provider may need to support multiple credentials. While I think this might be possible under the current API by leveraging the provider params dict, it does overlay a lot of functionality on a single endpoint. For any given provider we not only have "enable/reset", but also "add credential" and "remove (specific) credential". I'm not sure if this warrants additional endpoints or not.

[dainnilsson]

@dainnilsson please move your comments to threads on the diff so people can reply.

Done!

[warriorzz]

Any updates on this? I would like to have this merged as I would love to use WebAuthn as second factor when authenticating.

[shoqvalue]

Same question.

Any updates on this? I would like to have this merged as I would love to use WebAuthn as second factor when authenticating.

[cyphar]

I haven't had much time to review this after I first posted it. It is still a feature I'd like (I still use Matrix daily and wish we'd have 2FA) but it seems that WebAuthn would require a more flexible design than the pretty basic one I came up with here -- this feature would almost certainly turn out better if it's handled by someone with more experience dealing with authentication.

[ShadowJonathan]

Isn't this work effectively overshadowed by the OIDC initiative the matrix foundation is currently following?

From what I know, it'd essentially move authentication to somewhere else, which then has to implement webauthn instead. (The focus being that, by default, a server will use matrix-authentication-service as an internal OIDC provider, which already has an issue open about this: matrix-org/matrix-authentication-service#18)

[richvdh]

yes, OIDC would obviate the need for this. For now we'll keep it open until we are fully committed to OIDC.

[zincentimeter]

Is there any follow-up on this feature?

[clokep]

With the adoption of OAuth 2.0 based authentication API (MSC3861) I don't think the SCT will plan to further improve the Matrix-specific authentication APIs. With that in mind I'm going to put this up for closure. If the author wishes to close this they can do so directly at any point.

@mscbot fcp close

[mscbot]

This FCP proposal has been cancelled by #1998 (comment).

Team member @mscbot has proposed to close this. The next step is review by the rest of the tagged people:

• @clokep
• @dbkr
• @uhoreg
• @turt2live
• @ara4n
• @anoadragon453
• @richvdh
• @tulir
• @erikjohnston
• @KitsuneRal

Once at least 75% of reviewers approve (and there are no outstanding concerns), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for information about what commands tagged team members can give me.

[cyphar]

Yeah it seems this is obviated by OIDC, though it's not actually supported yet. Closing this 6-year-old PR...

[turt2live]

@mscbot fcp cancel