On Sat, Apr 13, 2024 at 8:44 AM Richard W.M. Jones <rjones(a)redhat.com> wrote:
I sometimes think how hard it would be to explain all of this to my
mother. I don't understand why 2FA needs to be so obscure and clumsy
to use.
FIDO2 (Apple branded[0] as "passkeys") is
not that hard to use, or explain. The problem
is that (a) passkeys are not yet universally
supported (and, in this case specifically, by
FAS[1]), and (b) unlike Apple (macOS, iOS,
etc.), Microsoft (Windows), and Android,
where the passkey is integrated into the
OS inside a protected enclave, there is no
trusted integrated support in Linux without
an external FIDO2 key[2][3] or using the
"scan a QR code" workaround with a
mobile device which does support use of
passkeys.
Unless your mother is using Linux (and
while Mrs. Roberts has been using Linux
for a long time, most moms don't), this is
likely a time limited issue as more and
more sites support passkeys and from
the consumer point of view it all mostly
just works.
I would like to imagine that FAS' current
2FA will eventually also be reasonably
easy with FIDO2/passkeys, which is why
I occasionally ask about the FIDO2
support status.
[0] I don't remember if there was any
official assignment of the branding, but
I heard that Apple was the org that
suggested the name.
[1] As I understand it, if/when some of the
FAS IdP moves to keycloak, FIDO2 2FA
*could* be supported. However, there is
no current schedule for that move that I
am aware of, and unless Fedora uses the
RHBK runtime, building keycloak from
source for Fedora can be a real PITA
(at least last I looked at it, maybe it has
gotten easier).
[2] As I understand it, the issue is the
lack of the required trusted environment
in generic Linux. There are software
implementations that do not have the
hardware enclave protections,
[3] External FIDO2 keys are also not free,
although I did see a $10 Adafruit FIDO2
key, which is the cheapest I have seen.