[RFC] Proposal: integrate 2fa and webauth into KDE Connect
Mayeul Cantan
mayeul.cantan at gmail.com
Sun Apr 22 11:42:18 UTC 2018
Hello,
I would be interested in seeing some 2fa elements making their way
into KDEConnect.
I am not too interested into protocol implementation details, or very
specific behaviour for now, just into some basic workflow.
Firstly, the basic authentication (one time passwords/time-based one
time passwords) mechanisms such as the ones offered by Google
authenticator (https://en.wikipedia.org/wiki/Google_Authenticator)
could be implemented, and integrated into the app.
Secrets would be stored globally, and a new menu, "authentication"
would appear for each connected device, with the same elements inside.
Tapping a code would send it as keyboard events.
Secondly, this might be more interesting, future-proof and user
friendly, although not widely deployed yet (supporting this would
obviously put KDE Connect on the edge here): Webauth.
Webauth defines a specific set of APIs that can be used to ask browser
for cryptographic proofs of identity. It seems to be a well-thought
standard.
Of course, we're no web browser. I am suggesting KDE Connect could act
as a store for secret keys on the phone, or as a gateway to them
(ideally, these would reside in the TPM if the phone has one, or any
other secure store, such as an NFC security card -- maybe just
containing a master key that's used to decrypt the other keys).
This would make KDE Connect behave as an authenticator as defined in
https://www.w3.org/TR/webauthn/#authenticator and implementing
https://www.w3.org/TR/webauthn/#sctn-authenticator-model
Usage would be as follows:
* The user uses his normal browser to visit a website that uses the
webauth API. The browser queries the system to see if any
authenticator is present
* I am not sure what API is used, it could be
https://github.com/Yubico/libu2f-host or anoter, DBus-based one. Maybe
GPG-agent?
* Regardless, depending on the browser's behaviour, it will prompt
the user for authenticating using his dedicated hardware
* (at this point, the user usually presses a hardware key on his
authenticator, or enters a password on some system prompt)
* If the user is registering for the first time, we can ask which
device to register on (including maybe some desktop application)
trough a system tray notification.
* If it is connecting to a website, the device that has a matching
credential ID displays a prompt. If multiple devices have one, display
a selection in a tray notification
* Upon validation by the user, the KDE Connect app signs the
challenge and sends it back;
Here is a user story, if that helps:
* John wants to log in into www.example.com
* He opens Firefox and browses to www.example.com
* A KDE Connect notification appears in the system tray, asking him
to authenticate using the app
* John opens the KDE Connect app on his phone, which may require
unlocking the phone
* John is prompted to select between the identities "John123" or
"Bob456", and taps "John123"
* John is now logged into www.example.com
Multiple security levels (TPM storage, PIN, etc) could be implemented
on a per-key basis, at a later date. A gpg-agent implementation would
be nice as well (and imagine using your phone as a 2fa token/secure
storage for your SSH keys).
This is mostly a raw dump of what I've been thinking about lately,
what do you think about implementing such an API, mechanism and
interface into KDE Connect?
Also, I apologize if there are some errors, misunderstandings or
unclear things in the post above. I am not yet familiar with the
specifics of these standards and their implementations.
Best,
Mayeul
More information about the KDEConnect
mailing list