xdg-credentials-portal

This is a standalone service which aims to offer FIDO2 platform functionality (FIDO U2F, and WebAuthn) on Linux, over a D-Bus Portal interface.

The project is composed of multiple crates:

• libwebauthn: Linux native implementation of FIDO2 and FIDO U2F Platform APIs.
  • Fully written in Rust.
  • No longer relies on Mozilla's authenticator-rs.
  • Supporting multiple transports (currently USB HID and BLE). The library is designed to have pluggable transport implementations, making it easy to add transport backends (planned: NFC, caBLEv2).
• xdg-credentials-portal: API proposal and reference implementation for a service which will expose FIDO2 and FIDO U2F Platform APIs via a D-Bus interface, for desktop applications to use - including conteinerized apps such as Flatpaks.
  • Similarly to xdg-desktop-portal and xdg-documents-portal, the service is intended to be accessed over a proposed D-Bus portal: org.freedesktop.portal.Credentials.

libwebauthn

Platform functionality

• FIDO U2F
  • 🟢 Registration (U2F_REGISTER)
  • 🟢 Authentication (U2F_AUTHENTICATE)
  • 🟢 Version (U2F_VERSION)
• FIDO2
  • 🟢 Create credential
  • 🟢 Verify assertion
  • 🟢 Biometric user verification
  • 🟢 Discoverable credentials (resident keys)
• FIDO2 to FIDO U2F downgrade
  • 🟢 Basic functionality
  • 🟢 Support for excludeList and pre-flight requests
• PIN/UV Protocols
  • 🟢 PIN/UV Auth Protocol One
  • 🟢 PIN/UV Auth Protocol Two
• PIN/UV Operations
  • 🟢 GetPinToken
  • 🟢 GetPinUvAuthTokenUsingPinWithPermissions
  • 🟢 GetPinUvAuthTokenUsingUvWithPermissions
• Passkey Authentication
  • 🟢 Discoverable credentials (resident keys)
  • 🔴 Cloud-Assisted BLE (caBLE) transport (#31 blocked: spec not yet published)

Transports

xdg-credential-platform

This is a very early stage idea, no proposed spec exists yet.

Here is an high-level architecture diagram of the proposed service and how it will interact with its clients:

Footnotes:

• *: Better alternatives for UI should be considered, e.g. native UI implementations via xdg-credentials-portal-{gnome, kde}.
• Δ: See Roadmap section below

Motivation

• Sandboxed Browsers. A modern solutions is required to allow sandboxed applications (Flatpaks, Snaps) to access U2F and FIDO2 devices, without granting blanket access to all devices.

  • Firefox has now officially been released on Flathub, but is unable to access U2F devices. See flatpak issue #2764

• Passwordless Authentication. FIDO2/WebAuthn brings the promise of a world without passwords, and related security incidents, which is worth pursuing. A platform API would make it easier for applications to support stronger authentication.

• Platform Authenticators are an important part of the FIDO2 specification, and fundamental for widespread adoption of passwordless authentication. Windows Hello, Android's FIDO2 support, Apple's TouchID and FaceID, are all examples of platform authenticators. There is no reason why the Linux desktop community could not enjoy similar benefits

  • Passwordless Web Authentication Support via Windows Hello - Mozilla Security Blog
  • Your Google Android 7+ Phone Is Now a FIDO2 Security Key - Fido Alliance

• Native Apps FIDO2 Support. FIDO2 should not be segregated to web applications.

  • FIDO2 API for Android (native apps)

Other platforms

Here is a list of related APIs available on other platforms, which offer similar functionality:

• Android SDK: Fido2ApiClient
• Windows Hello: FIDO2 Win32 APIs
• macOS, iOS: WebAuthn via ASWebAuthenticationSession

Further references:

• D-Bus API Design Guidelines
• Relevant FIDO2 specifications:
  • CTAP 2.0 Proposed Standard
    • Section 7: Interoperating with CTAP1/U2F authenticators
    • CTAP 2.1 Review Draft
  • W3C - Web Authentication API

Contributing

If you'd like to contribute but you don't know where to start, take a look at available tasks in the Issues tab.

Alternatively, any investigation or expertise on the following would be very helpful. Please reach out!

• Platform Authenticator support. Similarly to Android devices, and Windows Hello. In order to implement this (and request FIDO2 certification), support for the following is needed:

  • Trusted Platform Modules (TPMs)
  • User-verification devices (e.g. fingerprint readers)

• Unprivileged access. FIDO2 credentials are scoped to an origin (e.g. https://example.org). The proposed API allows applications to specify any origin (as needed by browsers). Hence, it requires an additional user confirmation step for security purposes. This extra step may not be needed if the request sender could be verified, as the legitimate owner of the specified origin.

  • As an example, Android has implemented two APIs: Fido2ApiClient (unprivileged), and Fido2PrivilegedApiClient (privileged) for use by web browsers. The main difference between the two is that the privileged API allows specifying an arbitrary origin, whilst the unprivileged API requires linking your app to your origin.

• PAM, and passwordless login (long-term goal). A PAM module would allow using FIDO2 for user login purposes, e.g. using the platform authenticator (similar to Windows Hello).

• D-Bus Portal API design

• Proposal and contribution processes (Flatpak, GNOME, etc.)

• UI/UX