Project

General

Profile

Actions

Feature #15244

open

Modern authentication via FIDO2 for local account authentication

Added by Paul Smith 10 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
User Manager / Privileges
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

Implementation of FIDO2 WebAuthN capabilities into RELENG_2_7_2.

WHAT
FIDO2 adds convenient phishing-resistant multifactor authentication to pfsense webui for local accounts.
With this implementation, you can use passkeys, pin, and biometrics from device platform (e.g. Windows Hello) or roaming devices (e.g. yubikey).
For more info visit - https://fidoalliance.org/fido2/

WHY
pfSense should have phishing-resistant multifactor authentication capabilities. Since W3C implementation of WebAuthN & CTAPv2 this is now possible in most modern browsers and platform devices, and therefore capable within pfsense.
FIDO2 is becoming industry standard replacement for password-based authentication (Google, Microsoft, Meta). This will add additional security protections and value with little to no impact to the product.

Implementation Fork from RELENG_2_7_2
https://github.com/TheUniquePaulSmith/pfsense/tree/devel/modern_auth

Implementation Requirements: Design Decisions:
  • I opted not to make this a package as it should be core offering of the product and webui\system_usermanager itself (also needed to modify login page to support FIDO2)
  • FIDO2 attestations use php openssl_verify as core authentication mechanism
  • FIDO2 is a more secure login mechanism, but needs to co-exist with Forms-based password login for now
  • Modifications to account creation page to support registration of platform-based FIDO2 credentials
  • Registrations are stored in an array $confg->system->user->fido2entries
  • Users can (and should) register multiple FIDO2 devices (typically in case of lost device)
  • I wanted to make minimally invasive injection of FIDO2, therefore only the login page, and system_usermanager UIs were changed
  • I tried my best to follow the php coding standards and practice that has been laid out, essentially, I cloned password-based login with fido2 capabilities in auth code
Current Limitations\Issues:
  • Need to fix reg & auth challenge validation
  • You can only register and delete FIDO2 registrations and not edit them
  • If admin changes the FQDN of pfSense, all existing registrations will become invalid since they are tied to relying party
  • Registration process is kind of clunky since I tried to fit it into the system_usermanager POST requests. Essentially you create a registration on your device, then "Save" it on a user which is processed by the server. Can lead to a state where user doesn't click Save but a passkey on the device was already created (and not saved on the server)
  • FIDO2 registrations are tied to existing users, therefore you must create a user first before being able to register a device
  • I only implemented platform based registration, but should be easy to allow cross-platform (roaming) registrations
  • I use javascript prompt (yuck) to capture friendly description during registration. Might be better to build separate page\tab (like how certificates work)
  • Not great with javascript & php encoding formats, so there is probably unnecessary encoding handling from client to server

Sign-In Page after clicking Link

Registering new FIDO2 credential

refer to the following article to manage passkeys in Windows 11: https://support.microsoft.com/en-us/windows/passkeys-in-windows-301c8944-5ea2-452b-9886-97e4d2ef4422


Files

Actions

Also available in: Atom PDF