-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
passkey authentication 👀 #7
Comments
@deanveloper, I don't think that's a good idea. Passkeys are more secure compared to passwords and MFA, but I don't think we should (or can) implement passkeys in-house. TBH, with how crazy the world is right now (I know this because I'm a journalist), unless Mastodon gGmbH hires a security expert to implement passkeys network-wide, Urusai is better off using a 3rd-party passkey service for security and legality reasons, which may require monthly fees or certain licenses that may go against the AGPL. |
@IRod22 The ticket was mostly just made for tracking any progress/insights about it, I'm not sure if I'd ever actually be able to fully implement something like this. Can you go into detail about why we wouldn't be able to implement this in-house? I'm no cybersecurity expert but I do have experience in authentication mechanisms and the basic dos and don'ts. I know the kinds of things to look out for when implementing authentication and know the kinds of things to search if I'm unsure about something. My only real concern is my lack of Ruby knowledge, so I might use some kind of library for the backend. As long as we use open-source software (doesn't even need to be AGPL licensed) we shouldn't come into any legal trouble with the Mastodon AGPL license. |
@deanveloper, I'm not saying that we couldn't implement passkeys; Rails does have (most of?) the facilities needed, and there is even a WebAuthn implementation for Ruby. I am just saying that passkey technology has to be implemented correctly to be secure. When I evaluate something for security, storage of login credentials, or storage of other user data, I mentally test it against worst-case scenarios that an API server could experience, and I also consider the legal consequences of the feature/system in question failing to safeguard user data. |
Pitch
Passkeys are a relatively new authentication system that makes it so that passwords aren't required. Would be cool if we allowed passkey authentication as an alternative to passwords!
This is probably going to be a pretty big feat since I have no clue how passkeys actually work... LOL. Here is a demo for passkeys, they're essentially a method of authentication where the browser will send a notification to your phone, and asks for a biometric from your phone.
Motivation
Passwords are... quite bad. Not only are they only a single factor of authentication, but they are also quite susceptible to being cracked, and all sorts of attacks.
Passkeys solve this by using public/private key authentication, meaning that even if a data breach occurs, the hacker would only get public keys which are next to useless for stealing credentials.
For the record I'm mostly just making this ticket for myself to track research on what this would look like. There's also a ticket on mastodon's issue tracker here: mastodon#20383
The text was updated successfully, but these errors were encountered: