Stronghold Adoption Proposal: HTOP / TOTP / FIDO2 #425
Unanswered
felsweg-iota
asked this question in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
note: Stronghold Adoption Proposals shall incite ideas where Stronghold could be integrated.
Stronghold Adoption Proposal: HTOP / TOTP / FIDO2
Overview
Stronghold shall get support for HMAC based one time passwords (HOTP) / time based one time passwords (TOTP) for supporting fast identity online version 2 (FIDO2)
Motivation
Password (only) based authentication contains a great risk of being compromised when not handled properly on server side. Stronghold can be used to provide HOTP / TOTP based authentication algorithms additionally to password only based authentication services.
Use Case Discussion
Website Authentication with Stronghold as a Platform Authenticator
Stronghold can run as a system service in the background, being able to be communicated with via sockets.Stronghold will itself be registered as authenticator and provide a thin api abstraction on the webauthn api.
FIDO2 supportive websites and service providers with web access can then require to store the secret inside stronghold as authenticator, so for public key challenge requests, stronghold can be used additionally to provide a time based one time password as 2 factor authentication.
Stronghold communicates with sockets via the browsers, while no challenge or private data will be send over this channel. The stored secret will be used to generate a number with a low lifetime of 30 seconds.
Integration
Stronghold can store the secret key safely inside the already present infrastructure code available as vault, and accessible with the more generic cryptographic procedure "WriteVault". An additional cryptographic procedure is required to calculate the actual one time passwird from the stored secret making use of unix system time. This additional Procedure shall be given the option to provide an optional system time value.
The call itself to the procedure will be handled by the existing infrastructure code.
Alternatives
Alternative to using Stronghold as secure storage backend and integrated platform authenticator, a roaming authenticator like a usb based hardware token supporting the FIDO2 standard can be used instead.
Resources
Beta Was this translation helpful? Give feedback.
All reactions