Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

passkey authentication 👀 #7

Open
deanveloper opened this issue Dec 29, 2022 · 3 comments
Open

passkey authentication 👀 #7

deanveloper opened this issue Dec 29, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@deanveloper
Copy link
Collaborator

Pitch

Passkeys are a relatively new authentication system that makes it so that passwords aren't required. Would be cool if we allowed passkey authentication as an alternative to passwords!

This is probably going to be a pretty big feat since I have no clue how passkeys actually work... LOL. Here is a demo for passkeys, they're essentially a method of authentication where the browser will send a notification to your phone, and asks for a biometric from your phone.

Motivation

Passwords are... quite bad. Not only are they only a single factor of authentication, but they are also quite susceptible to being cracked, and all sorts of attacks.

Passkeys solve this by using public/private key authentication, meaning that even if a data breach occurs, the hacker would only get public keys which are next to useless for stealing credentials.

For the record I'm mostly just making this ticket for myself to track research on what this would look like. There's also a ticket on mastodon's issue tracker here: mastodon#20383

@neatchee neatchee added the enhancement New feature or request label Dec 30, 2022
@ghost
Copy link

ghost commented Mar 11, 2023

@deanveloper, I don't think that's a good idea. Passkeys are more secure compared to passwords and MFA, but I don't think we should (or can) implement passkeys in-house. TBH, with how crazy the world is right now (I know this because I'm a journalist), unless Mastodon gGmbH hires a security expert to implement passkeys network-wide, Urusai is better off using a 3rd-party passkey service for security and legality reasons, which may require monthly fees or certain licenses that may go against the AGPL.

@deanveloper
Copy link
Collaborator Author

@IRod22 The ticket was mostly just made for tracking any progress/insights about it, I'm not sure if I'd ever actually be able to fully implement something like this. Can you go into detail about why we wouldn't be able to implement this in-house? I'm no cybersecurity expert but I do have experience in authentication mechanisms and the basic dos and don'ts. I know the kinds of things to look out for when implementing authentication and know the kinds of things to search if I'm unsure about something. My only real concern is my lack of Ruby knowledge, so I might use some kind of library for the backend. As long as we use open-source software (doesn't even need to be AGPL licensed) we shouldn't come into any legal trouble with the Mastodon AGPL license.

@ghost
Copy link

ghost commented Mar 11, 2023

@deanveloper, I'm not saying that we couldn't implement passkeys; Rails does have (most of?) the facilities needed, and there is even a WebAuthn implementation for Ruby. I am just saying that passkey technology has to be implemented correctly to be secure. When I evaluate something for security, storage of login credentials, or storage of other user data, I mentally test it against worst-case scenarios that an API server could experience, and I also consider the legal consequences of the feature/system in question failing to safeguard user data.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants