Hello all together,
we are currently setting up PrivacyIdea with focus to WebAuthN. During the configuration I was wondering if there are any plans to support Usernameless Authentication. In detail we would like to use Explainer: WebAuthn Conditional UI · w3c/webauthn Wiki · GitHub . I allready started digging into the source code and recognized that this would be a pretty large change. Beside extending the registration of Tokens, usernameless verification must be implemented. At the time of writing this would be a complete new flow/aspect. We have some staff to implement possible changes, but we are unsure whether such behavior is desirable in principle.
Kind regards
Flo
Hi Flo,
welcome to privacyIDEA.
Yes, it is. See:
opened 08:47PM - 16 Oct 22 UTC
Type: Feature request
Prio: Medium
### Is your feature request related to a problem? Please describe.
As a user, I… would like to login using WebAuthn/FIDO2 without specifying the `user=` option while triggering a challenge. A user identification ahead of the Challenge-Response Flow is not needed.
This allows a user-friendly login experience by just clicking a button `Sign in using webauthn` with highest security standards.
**Background:**
Today, privacyIDEA server has the following information after a WebAuthn token was enrolled.
* privacyIDEA knows the `serial` of the webauthn token that is assigned to a `user` object
* The `token` object contains the `credentialId` from the enrollment ceremony
Today, a `POST /validate/check?user=xyz&type=webauthn` includes the `allowCredentials` json element, that is actually optional in WebAuthn, see [W3C PublicKeyCredentialRequestOptions](https://www.w3.org/TR/webauthn-2/#dictionary-assertion-options). With binding the WebAuthn Challenge to the user and with it to the `allowCredentials`, privacyIDEA enforces the optional parameter.
**Idea:**
Use the `credentialId` to uncover the `user` during the WebAuthn ChallengeResponse while authenticating. This allows to login by just using WebAuthn and without specifying any additional information like the `user=` option ahead of the challenge creation.
This can be tested using the [webauthn-demo](https://github.com/privacyidea/webauthn-demo). This assumes that a WebAuthn token was successfully enrolled. The demo asks for `user@realm` and `pin`. Actually, with the suggestion described in this issue, one only needs to click a "Sign in" button.
#### Reasoning
This would allow a seamless login experience, similar to the efforts of "Passkey".
Add a button `Sign in with FIDO2/Passkey` what triggers an "anonymous" WebAuthn challenge. Here, anonymous means "not bound" to a user.
Sign the challenge with a known `credentialId`, and resolve the `user` in the second phase of the Authentication flow.
---
### Describe the solution you'd like
WebAuthn should work without the need to trigger a challenge for a specific `user` or `serial`, because the token is already bound to the `credentialId` delivered in the 2nd step of the authentication flow.
This allows to have seamless integration of WebAuth
---
### Describe alternatives you've considered
Use the `user` or `serial` bound approach that exists. This requires to identify the the user before creating a token challenge.
---
### Additional context
#### Implementation suggestion
Inspired by [webauthntoken.py#L197](https://github.com/privacyidea/privacyidea/blob/v3.7.3/privacyidea/lib/tokens/webauthntoken.py#L197) but with an "anonymous" challenge.
**Pseudo Procedure:**
* Allow anonymous Challenge creation:
```bash
POST /validate/check?type=webauthn
# No user & serial specified, but just trigger a webauthn challenge
```
* Get "anonymous" WebAuthn challenge:
```json
{
"detail": {
"attributes": {
"hideResponseInput": true,
"img": "<image URL>",
"webAuthnSignRequest": {
"allowCredentials": [],
"challenge": "<nonce>",
"rpId": "<relying party ID>",
"timeout": 60000,
"userVerification": "<user verification requirement>"
}
},
"client_mode": "webauthn",
"message": "Please confirm with your WebAuthn token",
"serial": "",
"transaction_id": "<transaction ID>",
"type": "webauthn"
},
"id": 1,
"jsonrpc": "2.0",
"result": {
"authentication": "CHALLENGE",
"status": true,
"value": false
},
"version": "<privacyIDEA version>"
}
```
**Note:** No `allowCredentials` and no `serial`, because it's anonymous. All authenticators might sign the request now.
* User gets prompt to sign the WebAuthnSignRequest & signs the challenge. All users with a passkey from the Relying Party can sign the challenge.
* Send reponse to the privacyIDEA server. Equivalent to [webauthntoken.py#L394](https://github.com/privacyidea/privacyidea/blob/v3.7.3/privacyidea/lib/tokens/webauthntoken.py#L394) without the `user` option
```bash
POST /validate/check HTTP/1.1
Host: example.com
Accept: application/json
transaction_id=<transaction_id>
credentialid=<id>
clientdata=<clientDataJSON>
signaturedata=<signature>
authenticatordata=<authenticatorData>
userhandle=<userHandle>
assertionclientextensions=<assertionClientExtensions>
```
* privacyIDEA resolves the `user` & `serial` based on the `credentialid` which is uniquely bound to the token, AND proofs the signature.
* Return HTTP response with `true` AND a user identifier.
**Question:**
I am interested in your opinions on this proposal! What do you think?
Oups, we added this to Milestone 3.9.
This could™ be a bit optimistic.
This needs a more generic concept (I currently do not find the issue/wiki entry)
There are also plans to enhance smartcard authentication in a way to authenticate with challenge/response by simply scanning a QR code, without the need to previously enter a username or a password.
This requires
challenge response DB table to work without a reference to a user or serial number
additional API endpoint and workflow
a tokenclass attribute, which tokens are capable of supporting this workflow
tokenclass methods.
to name the least.
Great! Thanks for the response and the link to the GitHub Issue. As already mentioned we (the Munich University of Applied Sciences) would be able to invest some time to implement some features or solutions. If you have concrete ideas about which functions need to be implemented, we are happy to undertake individual parts.