U2F Authentication, WebAuthn (As Core feature)

tankerkiller125

All major browsers are making major moves to support WebAuthn which is a standardized way to communicate with U2F keys like those made from Yubico, Understandable some browsers currently support it more than others and some have it enabled by default while some others have it disabled by default, however the end goal from all of the browser maintainers is to fully enable and support it.

As a forum admin, I feel like all good forum software should come by default with strong security features like TOTP Two Factor and now U2F since browsers are supporting it. The lack of two-factor authentication of any kind makes me worry that someday someone may steal my credentials or another admins credentials and do some real damage.

I'm open to discussion on the best way to do this, I am aware that there is already a two-factor authentication plugin, however, implementing good security should not fall on the shoulders of plugin developers especially since it adds another layer of possible attack as the plugins are separate from the core and are using APIs to get and send information to/from the core.

Digital

Yes, Flarum has an extension for that.

Let's see what our Core Devs has to say on this one.

Marianox

Digital No, that extension for what I can see supports 2FA, no U2F, that's a new standard of authentication getting really good traction.

Digital

Marianox Yes I know. I am just pointing out that there is currently a 2FA extension available.

I also pointed out that, we'll see what'll Core Devs say about the other one. ? Apologies if i wasn't too clear on that.

jordanjay29

For the record, the only times I've seen U2F security is for enterprise-level software. I know some websites support it, but adoption is really low at this point, and Microsoft Edge isn't even compatible at all.

I'd definitely encourage someone to make an extension for it, just like 2FA has one, though. There's nothing wrong with having such level of security available.

BlackSheep

jordanjay29 Edge supports Webauthn authentication.
https://blogs.windows.com/msedgedev/2018/07/30/introducing-web-authentication-microsoft-edge/
https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/windows-integration/web-authentication

tankerkiller125

jordanjay29 I'm a firm believer in extremely strong security, and giving people the option to enable whatever strength of security they want, understandably U2F is low adoption but because MS Edge will support using Windows hello logins and the fact that the security keys are getting cheaper I think that it will quickly gain traction.

matotubol

Any plans for U2F since its becoming a normal thing now slowly?