View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005482 | Composr | core | public | 2023-12-01 11:46 | 2024-07-25 21:38 |
| Reporter | Patrick Schmalstig | Assigned To | Chris Graham | ||
| Severity | Feature-request | ||||
| Status | closed | Resolution | duplicate | ||
| Product Version | |||||
| Fixed in Version | |||||
| Summary | 0005482: Implement passkeys | ||||
| Description | The era of using passwords is coming to an end as more and more people, through the FIDO organization, switch to a new authentication standard called "passkeys". Passkeys utilize public and private key pairs to authenticate users instead of passwords. When a member registers on a site, their device generates, stores, and locks down a private key for the website they are registering. Their device also generates an accompanying public key which is sent to the server for storage. Then, when the user wishes to authenticate (providing their username), their request for authentication will be responded with an encrypted challenge (the challenge is encrypted by the server with the public key). The user's device then decrypts the challenge with the stored private key (after the user unlocks the private key via some other means such as a hardware device or biometrics). Once decrypted, the user's device will make a challenge response, encrypted with the private key, and sent to the server. The server will decrypt it with the public key and confirm its validity; the user is now logged in. Theoretically, passkey login will eliminate phishing attacks, MFA fatigue, and having to remember passwords. However, I still am unsure about the process of "recovering" a lost private key. Nonetheless, I think it is important we start considering its implementation into Composr CMS. For example, there are already open-source self-hosted solutions out there for running passkey authentication, such as https://github.com/teamhanko/hanko . | ||||
| Tags | Roadmap: Over the horizon | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
| duplicate of | 0003581 | non-assigned | Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) [passkeys] |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-12-01 11:46 | Patrick Schmalstig | New Issue | |
| 2023-12-10 16:13 | Chris Graham | Relationship added | related to 0003581 |
| 2023-12-10 16:18 | Patrick Schmalstig | Tag Attached: Roadmap: v12 | |
| 2024-03-26 00:58 | Patrick Schmalstig | Tag Renamed | Roadmap: v12 => Roadmap: Over the horizon |
| 2024-07-25 21:38 | Chris Graham | Assigned To | => Chris Graham |
| 2024-07-25 21:38 | Chris Graham | Status | non-assigned => closed |
| 2024-07-25 21:38 | Chris Graham | Resolution | open => duplicate |
| 2024-07-25 21:38 | Chris Graham | Relationship replaced | duplicate of 0003581 |
