View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
5482Composrcorepublic2023-12-01 11:462024-07-25 21:38
ReporterPDStig Assigned ToChris Graham  
PrioritynormalSeverityfeature 
Status closedResolutionduplicate 
Summary5482: Implement passkeys
DescriptionThe era of using passwords is coming to an end as more and more people, through the FIDO organization, switch to a new authentication standard called "passkeys".

Passkeys utilize public and private key pairs to authenticate users instead of passwords. When a member registers on a site, their device generates, stores, and locks down a private key for the website they are registering. Their device also generates an accompanying public key which is sent to the server for storage.

Then, when the user wishes to authenticate (providing their username), their request for authentication will be responded with an encrypted challenge (the challenge is encrypted by the server with the public key). The user's device then decrypts the challenge with the stored private key (after the user unlocks the private key via some other means such as a hardware device or biometrics). Once decrypted, the user's device will make a challenge response, encrypted with the private key, and sent to the server. The server will decrypt it with the public key and confirm its validity; the user is now logged in.

Theoretically, passkey login will eliminate phishing attacks, MFA fatigue, and having to remember passwords. However, I still am unsure about the process of "recovering" a lost private key. Nonetheless, I think it is important we start considering its implementation into Composr CMS.

For example, there are already open-source self-hosted solutions out there for running passkey authentication, such as https://github.com/teamhanko/hanko .
TagsRoadmap: Over the horizon
Attach Tags
Time estimation (hours)
Sponsorship open

Sponsor

Date Added Member Amount Sponsored

Relationships

Search Commits
duplicate of 3581 Not AssignedGuest Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) [passkeys] 

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2023-12-01 11:46 PDStig New Issue
2023-12-10 16:13 Chris Graham Relationship added related to 3581
2023-12-10 16:18 PDStig Tag Attached: Roadmap: v12
2024-03-26 00:58 PDStig Tag Renamed Roadmap: v12 => Roadmap: Over the horizon
2024-07-25 21:38 Chris Graham Assigned To => Chris Graham
2024-07-25 21:38 Chris Graham Status Not Assigned => Closed
2024-07-25 21:38 Chris Graham Resolution open => duplicate
2024-07-25 21:38 Chris Graham Relationship replaced duplicate of 3581