Feature: Passkey Authentication Support

Rozzarequested to merge
rchar/crafty-4:feature/passkey-auth into dev

What does this MR do and why?

This adds (optional, disabled by default) support for logging in via passkeys as an alternative authentication method, using the py_webauthn library.

This means 1 additional top-level dependency for Crafty, and ~45 potential translation texts (sorry!).

Resolves: #618 (closed) Documentation: crafty-documentation!20 (merged)

Features:

  • App-wide toggle that's disabled by default - passkeys require full trust between the client & server: either valid certificates or localhost only
  • "Sign in with Passkey" button added to login page (if app-wide option is enabled)
  • Per-user passkey management tab & options (if app-wide option is enabled)
  • Support for all FIDO2-compliant authenticators (security keys, Touch ID, Face ID, Windows Hello, Android biometrics, etc)
  • Ability for users to disable password authentication for their account, enforcing passkey logins only
  • Prompt to add MFA still displays if the user allows password logons but has not yet configured MFA

Why?

In security, we like to say there are 3 classes of data that can be used to verify a person's authentication credentials; typically one or more of:

  • Something they physically are (e.g. biometrics)
  • Something they physically have (e.g. a hardware token, ID card, etc)
  • Something they know

Passwords fall squarely into the latter category - they can be guessed, stolen, and/or re-used. This makes them less than ideal as an approach to authentication. Multi-Factor Authentication (MFA) helps mitigate some of these password issues, but is still vulnerable to attacker-in-the-middle (AitM) style attacks.

Passkeys offer a simpler alternative that shifts the focus on to the physical side - they require physical access to a device, and optionally user biometrics too. Passkey standards also have built-in protections against credential re-use and AitM scenarios; resulting in a stronger security posture against most phishing attacks.

Research is also firmly indicating that users have a much better experience using passkeys over passwords: Microsoft claim that passkey sign-ins are on average 3 times more successful than passwords, and 8 times faster than a password and MFA flow.

Most modern smartphones can act as a credential manager for passkeys, so even on systems where passkeys aren't directly supported (e.g. Windows 11 without Windows Hello), QR codes are generated to allow the user to create, store, and use passkeys on their phone to enable logging in via the unsupported device.

Screenshots or screen recordings

App-wide passkey toggle

image

Passkey sign-in button

image

Per-user passkey management tab

image

How to set up and validate locally

  1. Pull branch/fork
  2. Ensure you either have fully valid/trusted certificates for the domain you are accessing your panel on, and/or have set localhost:8443 as your base_url in your config.json (note: 127.0.0.1 is unlikely to work in many browsers - there are special exceptions for localhost specifically)
  3. Access your panel via the configured & trusted base_url
  4. Use the "Panel Settings" UI to enable passkey support
  5. Use the "Account Settings" panel to access the new passkey management UI
  6. Add/edit/remove passkeys as desired (note that you can use a smartphone or FIDO2 hardware security key if your host OS does not natively support passkeys)
  7. Attempt to login with the passkey(s) to verify everything works as expected

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

  • Have you checked this doesn't interfere/conflict/duplicate someone elses work?
  • Have you fully tested your changes?
  • Have you resolved any lint issues?
  • Have you assigned a reviewer?
  • Have you applied correct labels?
Edited by Iain Powrie

Merge request reports