Webauthn support

Argh, I knew I was missing a route in review. Good catch

I think it’s been like this for a while, but yes these are good changes

Agree, good change.

Perhaps we can re-use the built-in chrome copy here? “You have already registered this security key. You don’t have to register it again.” is a nice clear copy.

Thanks @Falco and @sam for your feedback. I didn’t realise there was a different route for mobile login either! I will start work on these fixes including the password labelling/button changes tonight, hopefully even open a new PR to fix!

I’m really glad this worked on your Android as well (even though the mobile view is not working correctly) — I didn’t have an Android to test with.

May I recommend the Xiaomi Mi 9?

I’m not sure I’m ready to return to Android – I love my iPhone 8 too much

Here is the PR to fix up the above

Who said return? That is old world thinking! Modern people own multiple devices

This is very nice!

One minor niggle though: on Safari/Mac, Web Authentication is a developer-only feature, off by default. When enabled, it works well. But we should likely show a message or a warning when Web Authentication is not enabled. Currently, on default Safari, nothing in the UI indicates that the registration process won’t work (the console has an error):

image.png2848×1542 461 KB

We can feature detect using navigator.credentials I assume.

Some people have a hard time justifying the extra expense even though it’s nice

Argh I did that feature check on navigator.credentials.get but not create sorry about that, will be a quick fix!

The most recent commit seems to be working. I was able to use 2-factor (with fingerprint!) on my android phone just now.

Hey Penar, I’ve got a fix up for this now, are you able to check it out on Safari? [FIX] Check webauthn support when registering security keys by mjrbrennan · Pull Request #8146 · discourse/discourse · GitHub . I’m just not sure if the method of feature detection I’m using will work with Safari having the feature turned off.

Sam beat me to the merge but this looks good on Safari, thanks Martin!

Right but in this case it is a normal part of work at Discourse so we would cover the cost. Sorry if that was not clear, but hopefully it is clear now?

Congrats on WebAuthn support! Interesting to see you rolled your own solution instead of using the webauthn gem, if there’s any feedback for us there I’d love to hear it

I noticed in your implementation only supports algorithm -7 (ES256), but Windows Hello platform authenticators (backed by TPM 2.0 hardware) require -257 (RS256) as per Microsoft’s documentation. TPM 2.0 is required since July 28, 2016 for new Windows 10 desktop models, so that’s not an insignificant amount of hardware.

One suggestion for the “Login Flow” mockup - WebAuthn has an official logo that could be used instead of a generic fingerprint image. Besides fingerprint, facial recognition, swipe pattern or PIN are common user verification options as well.

@Martin_Brennan any thoughts on

Thank you for the feedback Rafe, we will need to add the additional algorithm here then. And thank you for the link to the official logo! My thought when I set only one algorithm was to just add the minimum number of supported algorithms to get things working for V1, as I wasn’t sure of nuances between all the algorithms, and ES256 was used in all the examples I could get my hands on.

As for why at the time I opted not to use the gem, I agonized over this quite a bit, and I knew I would be asked about this decision at some point. I certainly read through a lot of the code in the gem to get a better understanding of the implementation. The main reasons were:

1. Not wanting to add an additional dependency to Discourse. Every gem dependency adds additional overhead, no matter how excellent the code in that gem may be.
2. Wanting to have a good understanding of how such a critical security piece of Discourse operates. I thought that having the code within the core of Discourse would make things clearer and easier to extend, without having a “black box” so to speak. (Not an indictment of the gem itself or its complexity, I realize people could just go look at the code there, and I found it quite easy to follow what was going on).
3. Not wanting to add more than the minimum required code to get Webauthn running, for example I left out attestation from our initial implementation. I didn’t think there was much point adding a whole toolshed when all we needed was a spanner.

That being said, this could have been misguided on my part, and if we get into V2, V3 etc. of webauthn support with attestations, more supported algorithms, and what have you, it may become too laborious for us to become “Webauthn experts” so to speak, and at that point I think we could re-evaluate use of the gem.

Support for the additional RS256 algorithm is now merged FEATURE: Support RS256 algorithm for webauthn by martin-brennan · Pull Request #8385 · discourse/discourse · GitHub

It seems, iOS 13.3 and macOS Catalina 10.15.2 are now supporting FIDO2-auth as well

This update also includes bug fixes and other improvements. This update:

• Adds support for NFC, USB, and Lightning FIDO2-compliant security keys in Safari