[RFC] Proposal: integrate 2fa and webauth into KDE Connect

Sun Apr 22 11:42:18 UTC 2018

Hello,

I would be interested in seeing some 2fa elements making their way
into KDEConnect.

I am not too interested into protocol implementation details, or very
specific behaviour for now, just into some basic workflow.

Firstly, the basic authentication (one time passwords/time-based one
time passwords) mechanisms such as the ones offered by Google
authenticator (https://en.wikipedia.org/wiki/Google_Authenticator)
could be implemented, and integrated into the app.

Secrets would be stored globally, and a new menu, "authentication"
would appear for each connected device, with the same elements inside.
Tapping a code would send it as keyboard events.

Secondly, this might be more interesting, future-proof and user
friendly, although not widely deployed yet (supporting this would
obviously put KDE Connect on the edge here): Webauth.

Webauth defines a specific set of APIs that can be used to ask browser
for cryptographic proofs of identity. It seems to be a well-thought
standard.
Of course, we're no web browser. I am suggesting KDE Connect could act
as a store for secret keys on the phone, or as a gateway to them
(ideally, these would reside in the TPM if the phone has one, or any
other secure store, such as an NFC security card -- maybe just
containing a master key that's used to decrypt the other keys).

This would make KDE Connect behave as an authenticator as defined in
https://www.w3.org/TR/webauthn/#authenticator and implementing
https://www.w3.org/TR/webauthn/#sctn-authenticator-model

Usage would be as follows:
 * The user uses his normal browser to visit a website that uses the
webauth API. The browser queries the system to see if any
authenticator is present
 * I am not sure what API is used, it could be
https://github.com/Yubico/libu2f-host or anoter, DBus-based one. Maybe
GPG-agent?
 * Regardless, depending on the browser's behaviour, it will prompt
the user for authenticating using his dedicated hardware
 * (at this point, the user usually presses a hardware key on his
authenticator, or enters a password on some system prompt)
 * If the user is registering for the first time, we can ask which
device to register on (including maybe some desktop application)
trough a system tray notification.
 * If it is connecting to a website, the device that has a matching
credential ID displays a prompt. If multiple devices have one, display
a selection in a tray notification
 * Upon validation by the user, the KDE Connect app signs the
challenge and sends it back;

Here is a user story, if that helps:
 * John wants to log in into www.example.com
 * He opens Firefox and browses to www.example.com
 * A KDE Connect notification appears in the system tray, asking him
to authenticate using the app
 * John opens the KDE Connect app on his phone, which may require
unlocking the phone
 * John is prompted to select between the identities "John123" or
"Bob456", and taps "John123"
 * John is now logged into www.example.com

Multiple security levels (TPM storage, PIN, etc) could be implemented
on a per-key basis, at a later date. A gpg-agent implementation would
be nice as well (and imagine using your phone as a 2fa token/secure
storage for your SSH keys).

This is mostly a raw dump of what I've been thinking about lately,
what do you think about implementing such an API, mechanism and
interface into KDE Connect?
Also, I apologize if there are some errors, misunderstandings or
unclear things in the post above. I am not yet familiar with the
specifics of these standards and their implementations.

Best,

Mayeul