In 2019, the German c't magazine published some articles [1, 2, 3, 4] about FIDO2 and the new WebAuthn protocol, promoting a bright password-less future. The basic idea is simple and IMHO simply great: use a specialized little hardware device as key generator and secure private key storage. Somewhat like a "TPM to go", and with a simple interface (quite unlike TPM *eg*)
So, after some time of this suggestive promotion I headed straight to the next web store and got such a FIDO2 stick. But soon disillusion started to take place: Yes, you can use the stick on some large sites like Microsoft or Google. But I use my Google account only very minimalistically (Play Store for apps on my mobile), and don't even have a Microsoft account (what for?). And yes, there are some other sites where you can use the stick, but only as a second factor. So the current reality is far from the password-less vision :-(
My next thought was: Even if I use the FIDO2 stick only my private
web server, even this would increase both, comfort (no password) and
security (no rememberable password) at the same time. There surely is
some Apache module for FIDO2 authentication, let's do apt
search apache fido2
and ... nothing ?!? Hm, not packaged yet?
Found a list
of FIDO2 related software, but also there all the server-side
stuff is only intended for standalone authentication servers. Is it so
hard to verify a signature??
Anyway, my disappointment finally turned to activity, and I started to dive into WebAuthn protocol descriptions and example Apache authentication modules. And that turned into some code, and the result is my mod_authnz_fido2 project.
My design goals with that Apache module roughly were:
What I've learned during implementation is that the client side (in the browser) is available only from JavaScript, so I had to deliver some JS code to the client. I tried to do that somewhat transparently, so that the HTML code itself is not affected. The other learned lesson was that there's no way to use Bearer authentication without processing the tokens with JavaScript. So I've finally ended with storing the token in a cookie that is automatically passed to the server subsequently.
Last modified: Fri Jul 31 21:46:34 2020
Please send questions and comments to [email protected] Copyright (C) 2002-2020 Roman Hodek |