Is anyone working on a FOSS software solution for a FIDO2 authenticator? I know of Authy (which isn’t FIDO2, iirc) and some other projects, but none implement the passwordless login.
I have some time and the interest. I know attestation is an (optional?) part of FIDO2, and an OSS app will probably never be “verified”. Still, having a pure-software option/reference would be a boon.
Since this is extremely important for the future of the free web, I’m absolutely willing to help any project with these goals.
I've considered adding FIDO2 support to the software-only U2F token I wrote in Rust. It's a fair bit of work though, and I am not sure how comfortable I am with passwordless login unless the keys are kept purely in hardware such as a TPM.
That said, my reading of this post is that FIDO2 support will get built into Chromium directly, which is itself open source. Or if you do want a hardware key but running open software, I'd definitely recommend https://solokeys.com/, I've been following them for a long time.
> I am not sure how comfortable I am with passwordless login unless the keys are kept purely in hardware such as a TPM.
Shouldn't this be something for the user to decide? Using a TPM as a key is a bit silly; it amounts to turning the computer as a whole (strictly speaking, its motherboard and/or CPU) into a big smartcard/FIDO key. If that physical device breaks down, the associated identity is toast. A purely software-based key you can always back up.
Yes that's fair, it's a trade-off. Thinking more, there are really three levels of protection I see.
1. Keep keys in a file/the keyring. This protects them somewhat from non-root users on the same machine. It also provides phishing protection, which is really the most important aspect of U2F/WebAuthn to most people. If your computer is compromised, all the keys are compromised.
2. Keep keys in the TPM. The only additional protection over #1 is if you recover your computer after it is compromised, you can be reasonably certain the attacker could not make a copy of the keys and thus can no longer use them to authenticate. Arguably this is not a particularly useful protection.
3. Keep keys in the TPM/secure enclave and unlock them via biometric. This does provide meaningful extra protection if every use requires an unlock. Then if your computer is compromised, the attacker will have to either defeat the biometric unlock, or trick you into unlocking for every authentication attempt.
#1 is what I do right now for rust-u2f, and I think you're right #2 is not really useful. So maybe it's worth just implementing FIDO2 without worrying about TPM support. What I really was talking about was doing #3 for Linux, but I don't see a way to meaningfully accomplish it without tight hardware integration.
P.S. It is recommend to register multiple FIDO keys and/or have backup codes for accounts as a way to mitigate the issue of one physical device breaking toasting an identity. Not all providers may support this, for silly reasons.
Now that there's less eyeballs on this. Here's our open source JWT alternative:
https://github.com/Cyphrme/Coze. We've got a roadmap in using that to build alternatives to FIDO. Please feel free to message me with questions or anything else and I will detail our plans.
Before competing against FIDO, the libraries need to be far more ergonomic. Coze is a good start.
> I’m absolutely willing to help any project with these goals.
I have some time and the interest. I know attestation is an (optional?) part of FIDO2, and an OSS app will probably never be “verified”. Still, having a pure-software option/reference would be a boon.
Since this is extremely important for the future of the free web, I’m absolutely willing to help any project with these goals.