authelia/docs/content/en/roadmap/active/webauthn.md

4.4 KiB

title description lead date draft images menu weight toc aliases
WebAuthn Authelia WebAuthn Implementation An introduction into the Authelia roadmap. 2022-03-20T12:52:27+11:00 false
roadmap
parent
active
220 true
/r/webauthn

WebAuthn requires urgent implementation as it is being deprecated by Chrome. It is a modern evolution of the FIDO U2F protocol and is very similar in many ways. It even includes a backwards compatability extension called the FIDO AppID Extension which allows a previously registered FIDO U2F device to be used with the protocol to authenticate.

Stages

This section represents the stages involved in implementation of this feature. The stages are either in order of implementation due to there being an underlying requirement to implement them in this order, or in their likely order due to how important or difficult to implement they are.

Initial Implementation

{{< roadmap-status stage="complete" version="v4.34.0" >}}

Implement WebAuthn as a replacement for FIDO U2F with backwards compatibility.

Setting Value Effect
Conveyancing Preference indirect Configurable: ask users to permit collection of the AAGUID, this is like a model number, this GUID will be stored in the SQL storage
User Verification Requirement preferred Configurable: ask the browser to prompt for the users PIN or other verification
Resident Key Requirement discouraged See the passwordless login stage
Authenticator Attachment cross-platform See the platform authenticator stage
Multi-Device Registration unavailable see the multi device registration stage

Multi Device Registration

{{< roadmap-status >}}

Implement multi device registration as part of the user interface. This is technically implemented for the most part in the backend, it's just the public facing interface elements remaining.

Platform Authenticator

{{< roadmap-status >}}

Implement WebAuthn Platform Authenticators so that people can use things like Windows Hello, TouchID, FaceID, or Android Security Key. This would also allow configuration of the Authenticator Attachment setting most likely, or at least allow admins to configure which ones are available for registration.

Passwordless Login

{{< roadmap-status >}}

Implement the WebAuthn flow for Passwordless Login. This would also allow configuration of the Resident Key Requirement setting most likely, or at least allow admins to configure which ones are available for registration.