DevConf.cz 2021 has ended
Back To Schedule
Saturday, February 20 • 2:00pm - 2:25pm
Closing gaps in strong auth: FIDO2 device support

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Over the past few years, major websites started offering a 2-factor authentication option based on hardware devices. The latest effort in this area is FIDO2, which comprises two closely related standards: WebAuthn for communicating between websites and a client (web browser), and CTAP2 (Client To Authenticator Protocol) for interacting with authenticator devices.

On the client side, however, there is still room for improvement. Although major web browsers have already adopted the CTAP2 protocol, they currently require direct access to the devices through a low-level transport such as USB HID. This can be problematic when authentication is required inside an isolated environment, such as in a sandbox or container: the application provider would have to request full access to USB, whereas its usage is sorely for user authentication.

To mitigate this situation, we have implemented a proxy service that allows applications to access CTAP2 authenticator devices in a secure manner. With this service, the host has fine grained access control over authenticator devices, while the applications can take advantage of the device discovery mechanism provided by the host. In this talk, we will look at the design of the proxy service considering potential use-cases and challenges in terms of security. If time allows, we will show a demonstration using the current state of implementation.

The slides can be built at: https://gitlab.com/npocs/presentation-devconf-2021


Daiki Ueno

Engineer, Red Hat

Norbert Pocs

Intern, Red Hat
Intern in the Crypto Team

fido2 webm

Saturday February 20, 2021 2:00pm - 2:25pm CET
Session Room 3