FIDO2-related Tools

In 2019, the German c't magazine published some articles ^{[1, 2, 3, 4]} about FIDO2 and the new WebAuthn protocol, promoting a bright password-less future. The basic idea is simple and IMHO simply great: use a specialized little hardware device as key generator and secure private key storage. Somewhat like a "TPM to go", and with a simple interface (quite unlike TPM *eg*)

So, after some time of this suggestive promotion I headed straight to the next web store and got such a FIDO2 stick. But soon disillusion started to take place: Yes, you can use the stick on some large sites like Microsoft or Google. But I use my Google account only very minimalistically (Play Store for apps on my mobile), and don't even have a Microsoft account (what for?). And yes, there are some other sites where you can use the stick, but only as a second factor. So the current reality is far from the password-less vision :-(

My next thought was: Even if I use the FIDO2 stick only my private web server, even this would increase both, comfort (no password) and security (no rememberable password) at the same time. There surely is some Apache module for FIDO2 authentication, let's do apt search apache fido2 and ... nothing ?!? Hm, not packaged yet? Found a list of FIDO2 related software, but also there all the server-side stuff is only intended for standalone authentication servers. Is it so hard to verify a signature??

Anyway, my disappointment finally turned to activity, and I started to dive into WebAuthn protocol descriptions and example Apache authentication modules. And that turned into some code, and the result is my mod_authnz_fido2 project.

My design goals with that Apache module roughly were:

• Suitable for small sites with only a few users. No registration by web page needed, as the procedure is done seldomly.
• Usable as the one and only authentication (i.e. not just 2nd factor)
• Don't require modifications of web pages protected by that authentication. That means: don't force them to include login forms or JavaScript parts. Good old basic HTTP authentication also doesn't.

What I've learned during implementation is that the client side (in the browser) is available only from JavaScript, so I had to deliver some JS code to the client. I tried to do that somewhat transparently, so that the HTML code itself is not affected. The other learned lesson was that there's no way to use Bearer authentication without processing the tokens with JavaScript. So I've finally ended with storing the token in a cookie that is automatically passed to the server subsequently.

Last modified: Fri Jul 31 21:46:34 2020 Please send questions and comments to roman@hodek.net Copyright (C) 2002-2020 Roman Hodek