Tweag and Mercury is happy to announce a server-side library for the the WebAuthn standard (part of the FIDO2 project), available as webauthn on Hackage! If you have a web server written in Haskell that allows users to create and log into accounts, this library might interest you, and we'd love to have feedback as we refine the interface of the library. The source of the library is available here, feel free to open issues, PRs or leave a comment here!
The WebAuthn standard allows users to easily and securely authenticate to websites with public key credentials, generated and stored on secure authenticators like Yubikeys, TouchID, TPM and more. This can either be used to secure accounts with second-factor authentication, or as a first factor, allowing users to log in without a password or even a username. See here for a WebAuthn guide and demo. Here's another and another demo.
Originally forked from a hackathon project by Arian and taking inspiration from an alternative implementation by Fumiaki (also known as webauthn-0 on Hackage), this library has been developed by a team at Tweag, as contracted by Mercury, whose intention is to sponsor a good open-source library for the Haskell ecosystem, many thanks!
While the general design of the library isn't expected to change very much, it should currently still be considered an alpha version, as Mercury and ideally others try out the library and give feedback. As such, if you have a website with user accounts running on Haskell, we'd love for you to try it out and tell us what could be improved! To get started, here are our recommendations:
- Read the introduction to the WebAuthn standard to get a sense of what the standard does
- Read the documentation of the main Crypto.WebAuthn module, which gives an overview of the library
- Check out and run t
Hey everybody!
I'm one of the maintainers of an open source identity aware access proxy called Pomerium. We just released v0.16 which includes a bunch of new features, but there's one in particular that has been in the works for months that I'm really excited about and wanted to share: Pomerium now supports incorporating device identity into your access policies.
The long version of why I think this is a big deal is because when you look back to some of the foundational ideas and writings around zero trust (i.e. Jericho, BeyondCorp, NIST, etc) device identity plays a cornerstone role. It's not only user, but also device identity that makes the zero trust access model so compelling.
The problem has been that supporting device identity in a uniform way has been really challenging. Your options were essentially either to get device details from MDM , enroll and manage client device certificates, or -- if you are Google -- make your own TPM chip (only slightly joking!). But frankly, the barriers to entry for authZ device state have just been too high for most individuals and organizations. To try to lower that adoption barrier, Pomerium instead uses WebAuthn, which is built into all modern browsers, to retrieve cross-platform & hardware-backed device identity all without needing any additional client software, or certificate management.
Though it's still early days for device context, and there's much more work to be done -- especially around things like device posture -- I hope I've piqued your interest to give the feature a try or to checkout our webauthn go library.
And finally, I want to thank all our users and to everyone who contributed to the project so far. Happy to answer any questions for a bit while I'm here.
I see in Proxmox 7.1 (I think) that added something for WebAuthn and I got curious and decided to look it up. I may be wrong but I think it would allow me to login via 2fa using a web certificate? Please correct me if I am wrong but if that is the case does anyone know how to set this up?
Hi,
Just bought some stuff from bestbuy. When I was logging in, I noticed bestbuy as a login with webauthn on it. Under account settings, I don't see any register webauthn. Does anyone know how I can do this?
And will the iOS/iPadOS bestbuy app work with an NFC key on iOS and a usb-c on ipad pro? I sort of doubt if a yubikey usb-c works on ipad pro (outside of Safari or Chrome), is there an option to fail over to TOTP 2FA?
Is there any update on whether Brave for Android gets any support for FIDO2? Chrome for Android works with my YubiKey 5 NFC but Brave does not currently :( Thanks.
Also what is the benefit of enabling my vault for the new standard? Do I need to set some kind of PIN?
I'm using Windows 10 on Firefox for reference, and I also use the vault on my iPhone 8.
I am trying to set up two YubiKey's on a new win 10 laptop to use webAuthn. I log into the vault, and go to add a key.Β The first key is accepted with no problems.Β When I try to register the 2nd, I get a popup asking for my window PIN.Β I enter the PIN, but it is rejected.Β I have tried removing key1 and registering key2 first, and regardless of which key I use, the second key always gets the same PIN issue.Β I have also removed the windows PIN, and setup a new PIN.Β The result did not change.Β Whichever key was second it would not register due to PIN errors IE I'm entering the wrong windows PIN (which I just used to add the first key).
Following on from that.Β With one key registered in BW, I tried to log into BW, but I only get the option to use my window PIN or fingerprint, there is no option to use the YubiKey.Β I read that you should cancel the widows verification in order to get the YubiKey option, but when I do that the login fails.
I set up my main PC with the PW and YubiKey system and I am trying to get the new laptop to act like my main one, just not sure what is going on.
what should I try?
Thanks for your help
(I should clarify this is my experience using the Android app and functionality added with the latest update. Logging in via WebAuthn in Chrome on Android works fine.)
Does anyone else have to authenticate with their Yubikey via WebAuthn (at least) twice to get BitWarden to login on Android?
The login flow is quite long, but would be considerably better if it didn't hang the first authentication attempt.
Here's what the flow looks like for me. Repeatable and on two Android phones.
- Enter username and master password.
- Tap the blue "Authenticate WebAuthn" button.
- Tap the blue "Get started" button.
- Tap "Use security key with USB." (I'm using Yubikey 5c via USB C)
- Prompt comes up asking to "Allow Google Play Services to access Yubikey OTP+FIDO+CCID?" Tap OK. (this doesn't always pop up.)
- Tap gold plate on Yubikey.
- Bitwarden goes back to step #2 and does nothing. Tap on "Authenticate WebAuthn" again.
- Tap "Get Started."
- Tap "Use security key with USB."
- Tap gold plate on Yubikey.
- Bitwarden might now log in. Or... I go back to step 2 again.
Usually 1-10 is necessary. But it rarely if ever logs in with just steps 1-5.
It's like this on my Google Pixel and another Samsung phone I have. I'm able to login using WebAuthn but it's super clunky. WebAuthn works as expected in Chrome browser on Android and in Windows.
Compare this to Yubico OTP on Android.
- Enter username and password.
- Tap Yubikey to enter Yubikey code.
- That's it you're logged in.
Is anyone else experiencing this?
Edit: It's been confirmed a bug by multiple people. Bitwarden Community thread here and GitHub thread here.
In the meantime, just tapping YubiKey immediately after selecting "Use security key with USB" works for me.
Hello all,
I've configured webauthn passwordless in my authentication flow for browsers. This works great, but there's one thing I'd like to change if possible.
During login keycloak prompts for a username/email and when this matches with a keycloak user in the realm a button with "Sign in with security key" is displayed.
This allows someone to check if specific usernames or email address are registered in a specific keycloak realm. I'd like to avoid this, by letting the user select the identity they want to use in the native browser webauthn dialog like shown here https://imgur.com/a/0hUdETT
I don't know if this can be done in keycloak? When I remove the User Form from my flow, I no longer can authenticate and immediately get an "Invalid username or password." error on the login page.
Is there another provider I can execute in my flow which lets the browser prompt the user for an webauthn identity to use?
I was tinkering with WebAuthn in BitWarden and when I went to add a key both my phones popped up...
Clicking on my current phone did nothing but clicking on my old Pixel XL sent a notification to my phone. Boom it worked. I think it's a part of the newest Chrome update that isn't yet available on my Play store. Chrome 95, but Google hasn't pushed that update to me yet.
Apparently there's a chrome flag called "Web Authentication caBLE v2 support." I enabled that in Chrome on my main phone, but it still didn't work.
I loaded Chrome Canary on my phone and badaboom. I think I'll go back to stable and wait for update but I just wanted to experiment.
caBLE tech seems pretty cool. Something about cloud assisted Bluetooth low energy to prove proximity to the device you're logging into. It uses Bluetooth between devices without pairing. It just proves proximity.
Anyway some people may not trust anything cloud related and security key but I think it's pretty cool but it's hard to find anyone talking about it anywhere outside of Chromium repository. I just find articles from 2019 about using your phone as a security key for Google services. This latest update allows you to use your phone as a security key everywhere WebAuthn is supported.
I did find these though:
https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/go6GoFW27Dw/m/9flCLR5pBQAJ?pli=1
and this...
https://blog.millerti.me/2021/06/18/previewing-chromes-cable-v2-support-for-webauthn/
and this...
https://www.google.com/amp/s/9to5google.com/2021/08/01/chrome-android-2fa-security-key/amp/
But in that last article I don't think he realizes that it can be used for services outside of Google.
Anyway, I went from my single Yubikey today to having three additional backup security keys without spending $150...
My current phone, my old Pixel and Windows Hello using TPM module.
I just got my Yubikey 5, and wanted to enable WebAuthn to secure my vault. I followed the guide on Bitwarden's website, but when I added the Yubikey as my 2FA, the web vault only prompts Windows to ask me for a PIN, but not to touch the Yubikey.
When I touch the Yubikey, it just says "Provide a PIN". So, when I attempt to log in with Webauthn enabled, I just have to put the PIN in - it doesn't matter whether my Yubikey is plugged in or not.
Any ideas what could be the issue? I'm on the latest version of Firefox.
Let's say I am in a hostile network (which performs e.g. TLS interception) and using their own machines. I want to log in to a service where I can use either username/password + 2FA TOTP, or WebAuthN passwordless with my yubikey.
I know (and please correct if wrong) that if I use the former, my password will be intercepted in cleartext. My OTP will also be intercepted as I am logging in, but that's less of a concern as it cannot be used a second time.
If I choose to log in passwordlessly via WebAuthN with my Yubikey, can they intercept anything that is useful in giving them the ability to login to my account once I have left the premises?
We can assume, for this example, that I don't mind them intercepting any other traffic (i.e. what I am doing once logged in), I am only concerned with leaving authentication information behind.
Listen, it's 2021. A lot of services allow to set up FIDO2 U2F or similar passwordless methods. Why not Discord?
We always talk that security is important and we need to improve it on every step. And yet, after 6 years of existence, we don't have any U2F security layer for Discord.
I am using Firefox Nightly, v95.0 along with Manjaro Linux as my OS on my laptop. I also enabled WebAuthn (I think is what it's called) and I can use it just fine on my Windows laptop.
I have Brave and Firefox Stable installed on my Linux machine. I signed into both of those prior to enabling WebAuthn, so those aren't an issue.
My Issue:
When I go to sign into Bitwarden on Firefox Nightly on Linux, I get prompted to open a new tab to complete the 2 Step Process. However, when I get directed to the Bitwarden Vault, I get in a seemingly endless loop of HCaptcha. I am using a VPN, I do have Nightly customized via about:config, I do have uBlock Installed. I keep being put back to complete the puzzles via HCaptcha and I can't seem to continue. It's been about 2 or 3 minutes of doing the puzzles to no success.
I am pretty sure I am selecting the Boats and the Buses correctly lol
You can now use your solo with Firefox for Android :D
I tested with NFC, but I assume USB works too.
With an NFC Yubikey, I'm struggling to get it working. As soon as I try to authenticate via Webauthn, I'm taken to my browser, which tries validating in a Yubico webpage, but never returns back to Bitwarden.
Is anyone able to get Webauthn 2FA, with a Yubikey 5 NFC, working on Android please?
I'm new to yubikey but have a couple 5C and a mini. For Bitwarden, I see both yubico and webauthn as options. Which one should I pick and why?
Lets say i have authenticator app build on keyclock that utilize webauthn. I want to know what exactly the user used for authentication is it fingerprint or face id or approve message. From server side i only get that webauthn was successful.
Thanks
I've bought a Yubikey 5 NFC and I'm struggling on understanding the differences the two supported Yubikey protocols to add it as a 2FA to my account.
I've actually set YubiKey OTP Security Key as it worked fine but upon reading the documentation on the Yubikey website on how to set it for bitwarden by clicking on (Let's start at the bottom), it points me to the Bitwarden's documentation for FIDO2 WebAuthn.
I understand a yubikey can be used in different ways as it supports multiple scenarios.
What would be the pros and cons on setting one or another?
Bellow is a print screen of the 2FA methods available for bitwarden. It does give the impression the Yubikey OTP is the one way to set a Yubikey...
A little part of me dies every time I log in with Yubikey OTP. FIDO2/Webauthn is supported by pretty much every major platform at this point. I would have expected Bitwarden to jump on this given how security-focused the team seems to be.
U2F/FIDO2/Webauthn are standards for using a hardware security key for 2-Factor Authentication on websites. It basically prevents phishing attacks and is thus a lot more secure than (say) Google Authenticator or other similar software authenticators. Kraken website:
>We plan to add FIDO U2FΒ andΒ FIDO2Β protocol support in the near future
And:
>With the U2F protocol (coming soon to Kraken), YubiKey
(https://support.kraken.com/hc/en-us/search?utf8=%E2%9C%93&query=u2f)
But, from this old tweet it seems that Kraken planned to do this already in 2019:
>We are planning on adding FIDO U2F and FIDO2 protocol support in the near future.
https://twitter.com/krakensupport/status/1192532130103992323?lang=en
Coinbase seems to support U2F which is great. Maybe there are other exchanges also which support U2F?
Q: Are there any more recent news about this feature coming to Kraken? I think U2F or FIDO2 is the golden standard of 2FA and should be available on all financial web services out there. It would be nice if Kraken also supported it. Especially now that many HW wallets also support U2F.
Hello all,
Is anyone using FIDO2 via NFC on an iPhone 12 or iPhone 12 Pro successfully?
I'm on an iPhone 12 Pro and when it prompts me to scan the key, I can literally rub the key all over the outside of the phone (even with no case) and it won't register anything.
I'm using the FIDO2 demo apps at webauthn.io and webauthn.me, as I'm developing an internal app using FIDO2 at our company and I definitely had this working on my old iPhone 7.
Can't find a lot online talking about it, even in this sub (that I've seen), although people seem to recommend it like it is working: I saw a suggestion that it may be related to having a PIN set, so I used Yubikey Manager to reset the FIDO2 app and remove the PIN, but I'm still seeing the same behaviour.
I was using my Yubikey 5 NFC with u2f/fido before which worked fine, however, after the update to webauthn. I re-registered my key, and now it doesnt work correctly. Chrome complaints that this is a unrecognized key, whereas in firefox it auto submits on 4 characters ( normally it should wait for the user to press enter when asking for pin during the user verification required in webauthn).
Also the problem isn't the key since I am using this on multiple other services like porkbun, Google etc, and I've tried
I believe the js implementation library used is at fault and needs to be looked into
Iβve activate the webauthn login with the yubikey. Is it possible to login without Password an Email, only plugin the key?
Hi,
as I'm starting to use my Pinephone more and more I'm considering migrating everything important from my other phone. One app I must be able to use is Authy in order to have two factor authentication for Github and few more other services. I just used SMS this morning as a backup which worked well but other services don't have that option.
I found this simple go CLI tool https://github.com/rsc/2fa that would do the job. Setting up without QRcode does not seem to fastidious as it could be done via ssh copy/pasting text codes.
I do also have a Yubikey and got it working just earlier via ykman (and pscpd, libu2f-host with udev rules), even in the browser via the JS U2F API https://github.com/grantila/u2f-api .
Consequently I'm wondering what you are using and what are the different trade offs.
What is WebAuthn?
WebAuthn is a new W3C global standard for secure authentication on the Web supported by all leading browsers and platforms.
https://www.yubico.com/authentication-standards/webauthn/
More information about EOSIO WebAuthn key & signatures:
https://github.com/EOSIO/eos/issues/7012
proposer: eosnationftw
name: webauthn
https://bloks.io/msig/eosnationftw/webauthn
Protocol Feature: WEBAUTHN_KEY
4FCA8BD82BBD181E714E283F83E1B45D95CA5AF40FB89AD3977B653C448F78C2
https://bloks.io/protocol-features
Deployed & tested on Jungle3 Testnet since Feb, 2020 (17 months)
Compatible with current EOSIO system contract v1.9.2 (operates on EOS Mainnet & Jungle3)
https://github.com/EOSIO/eosio.contracts/releases/tag/v1.9.2
I've read a couple of articles online, but don't manage to grasp FIDO2 fully.
Many thanks for any answers (you don't have to go in full detail) or suggestions containing good and easy explanation articles and/or videos etc. Also, many thanks for taking the time to do so!
My Solokey is working on most of my devices, but not my OnePlus phone. I'm getting webauthn error "InvalidStateError; The user attempted to use an authenticator that recognized none of the provided credentials."
I'm getting the same error for both NFC and USB connection. Any suggestions?
