Would you like to see Fido U2F?

[Kimmax]

Hey there
would anyone be interested in a Fido U2F implementation, to be used eg. with a Yubi key or other physical 2FA devices?

I probably could find some time to implement it soon.
Let me know what you think!

[fabian]

I don't have one but I also don't think anybody is against supporting it. If it needs additional dependencies, please make a plugin instead of adding it to core.

[franco]

As said on IRC "support for it" and "user base for it" are both important factors. Adding features that are prone to bitrot e.g. not used by the author for a specific use case could indicate efforts are better spent elsewhere.

At least with this thread users can find and voice their desire now or in the future. :)


Cheers,
Franco

[Kimmax]

I secure what I can using my Yubikeys, U2F is just the icing on the cake . Yubikeys do support OTP too, however I think U2F is the future and will hopefully be adapted and usable almost everywhere, so that would get myself up to speed implementation wise and it might help push U2F a bit more
I might still do this when I have some free-time at hand

As franco said, input is more then welcome!

[olmari]

Whatever this means, I would love to "+1" an real FIDO2 support (not "just" U2F. While I can't offer much of coding help, I can offer testing help.

[trixter]

I think FIDO2 will be the future - would be happy to see a auth-plugin soon

[tadchilly]

I'm very interested in having a Webauthn 2fa option too

[johnmcallister]

Hey there
would anyone be interested in a Fido U2F implementation, to be used eg. with a Yubi key or other physical 2FA devices?

I probably could find some time to implement it soon.
Let me know what you think!

Bumping this thread. Definitely interested. The U2F & WebAuthn ecosystem has matured. I use YubiKeys for a wide range of services, including ssh, various financial institutions, etc.

Would be great to have a Yubikey-type option for the web browser interface in Opnsense.

[qarkhs]

Yes, although preferably Webauthn/FIDO2. This is likely to become increasingly popular now passkeys are supported on iOS, Android and other devices. The US Federal government is also keen to get rid of any form of authentication that isn't phishing resistant. See https://zerotrust.cyber.gov/federal-zero-trust-strategy/#identity

MFA will generally protect against some common methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach. However, many approaches to multi-factor authentication will not protect against sophisticated phishing attacks, which can convincingly spoof official applications and involve dynamic interaction with users. Users can be fooled into providing a one-time code or responding to a security prompt that grants the attacker account access. These attacks can be fully automated and operate cheaply at significant scale.

Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks. The Federal Government's Personal Identity Verification (PIV) standard is one such approach. The World Wide Web Consortium (W3C)'s open "Web Authentication" standard, another effective approach, is supported today by nearly every major consumer device and an increasing number of popular cloud services.

Agencies must require their users to use a phishing-resistant method to access agency-hosted accounts. For routine self-service access by agency staff, contractors, and partners, agency systems must discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications.