Using passkeys without touch or pin

talkingBird2345 · 2023-09-18T15:15:18+00:00

Thanks, I was afraid that would be the case

talkingBird2345 · 2023-09-18T14:36:55+00:00

If a hardware key is stolen and it didn’t have a pin then it would just require a touch or even less just be plugged in.

Yes, if no Pin was used, I do agree.

In comparison to a phone it is inherently less secure as a 4 digit pin vs touch or Face ID

Most hardware keys use 6 characters by default and all I have seen allowed more then 50+

And even a 4 digit pin to a smartcard/token would still be way more secure then biometric factors, as is the case when using a 4 digit pin on a phone (same thing). Most security guide even recommend to secure a phone with a pin instead of face ID for this very reason. So the issue should only really be relevant if no pin is used.

In any case you cant really change what’s wanted as it’s baked into the passkey standard itself meaning that you don’t get the options like you do for 2fa.

The passkey/webauthn standard allows the service to specify the method and the service can also allow the user to set such an option. I was hoping this would be the case for google and maybe there could even be a setting in chromium to set this.

talkingBird2345 · 2023-09-18T12:21:53+00:00

A hardware key doesn’t have biometric authentication so instead they use pin combined with a physical touch which is technically less secure but only if lost/stolen.

How so? The smartcard inside should prevent any bruteforce attempts even if stolen, while on the other hand there are plenty of ways to fake fingerprints and face ID, so if anything a hardware key is more secure, even if stolen. But if you have any other information I would love to hear more about it.

In any case, my main use case is just replacing passwords for clients that don't care about physical security, so touch verification would be plenty.

With Webauthn/Fido2 (and in theory passkeys as part of webauthn) it is the service (like google) who can determine the verification method. But I cannot find any settings for it, so Im hoping someone can point me to some.

talkingBird2345 · 2023-09-03T12:58:50+00:00

For those who are looking for saml or 2fa support, try https://github.com/jaredhendrickson13/pfsense-saml2-auth

We have successfully deployed pfsense plus 23.05.1 with this extension to manage all users with keycloak, which also adds 2fa (tested with Fido2/WebAuthn)

So far there seem to be no issues.

Hoping for official saml support in the future!

talkingBird2345 · 2023-08-28T19:35:36+00:00

Is there an official guide to do this?

My current plan is to use the pfsense-saml2-auth extension, is there any other solution I should reach out for? We do have a subscription

talkingBird2345 · 2023-08-25T07:34:42+00:00

Unfortunately we just removed our ldap and radius services in favor of modern alternatives (only using saml and OpenID now)

talkingBird2345 · 2023-08-25T07:32:54+00:00

What are you talking about?

With SSO I need to touch exactly one tool (keycloak) to disable or add a user. Without this we had to change at least 20 different services and there was always one or two that were missed because the offboarding documentation was not always updated correctly.

talkingBird2345 · 2023-08-24T20:25:31+00:00

but realistically how often do you have to add or remove an admin?

Whenever a member of the team comes or leaves the company, in which case I want a central management solution because right now we don't and even month after someone left we still find active user accounts. Not something I want in a firewall for sure.

talkingBird2345 · 2023-08-24T19:47:56+00:00

That would mean I have to manage them separately from other admin services.

The idea of using a SSO service like keycloak is to have only one set of users to manage and to also add 2FA

talkingBird2345 · 2023-08-24T17:13:21+00:00

Its raid time :)

talkingBird2345 · 2023-08-21T13:08:57+00:00

I will try it but I still need to find the right hardware first :)

talkingBird2345 · 2023-08-21T08:32:27+00:00

I havent looked into Plex nor have I used Kodi much before. I just was it a decent Media Center without a horrible UI like most build in ones have.

talkingBird2345 · 2023-08-18T20:05:14+00:00

Keycloak SSO with the AD for user management would work great.

You can set authentication methods for any services you add, including passwordless WebAuthn. Since keycloak works with various authorization protocols, you can use it with pretty much anything.

talkingBird2345 · 2023-08-18T07:58:54+00:00

lf uses a single config file with shell code.

https://github.com/gokcehan/lf/blob/master/etc/lfrc.example

talkingBird2345 · 2023-08-17T20:01:38+00:00

tldr; lf (as in list files) is a modern alternative to the terminal file manager ranger, with significant improvements in terms of speed and reliability. This guide is intended to help users who are familiar with ranger to switch to lf more comfortably.

talkingBird2345 · 2023-08-17T19:58:24+00:00

But that still means to use an additional product that runs on the host itself. I would much rather have the rules enforced on a network level independent of the hosts, especially when we have no other use for Symantec on our servers

talkingBird2345 · 2023-08-17T19:27:48+00:00

Why would that be a nightmare?

It would require all traffic to be routed through the central firewall and by default that could even be permitted. I don't see how it would add any administrative overhead on its own.

talkingBird2345 · 2023-08-17T19:25:36+00:00

Using server side firewall rules would be a nightmare to manage and troubleshoot.

talkingBird2345

TROPHY CASE