Over the past few years, major websites started offering a 2-factor authentication option based on hardware devices. The latest effort in this area is FIDO2, which comprises two closely related standards: WebAuthn for communicating between websites and a client (web browser), and CTAP2 (Client To Authenticator Protocol) for interacting with authenticator devices.
On the client side, however, there is still room for improvement. Although major web browsers have already adopted the CTAP2 protocol, they currently require direct access to the devices through a low-level transport such as USB HID. This can be problematic when authentication is required inside an isolated environment, such as in a sandbox or container: the application provider would have to request full access to USB, whereas its usage is sorely for user authentication.
To mitigate this situation, we have implemented a proxy service that allows applications to access CTAP2 authenticator devices in a secure manner. With this service, the host has fine grained access control over authenticator devices, while the applications can take advantage of the device discovery mechanism provided by the host. In this talk, we will look at the design of the proxy service considering potential use-cases and challenges in terms of security. If time allows, we will show a demonstration using the current state of implementation.
The slides can be built at:
https://gitlab.com/npocs/presentation-devconf-2021