FYI: MFA on on Gnome Desktop on Fedora 43 Linux

[kulak]

I am sharing my experience with MFA on Firefox on Gnome on Fedora 43 Linux.

In short: it does not work on Firefox. Use Chrome web browser instead and make sure you have password storage configured.

When I enable MFA on Firefox, I get prompt "touch your security key", which I don't have. I tried disabling the key with about:config and then security.webauth.webauthn_enable_usbtoken set to false, but that led to "invalid token".

[sebadob]

Firefox works perfectly fine on all OS'es since years. The same as all the other major browsers.

The only difference is that Firefox is a lot more strict than Chromium-based browsers. E.g. if you have invalid or even self-signed TLS certificates, it will refuse Webauthn. How it prompts, what it prompts, what it says, is nothing Rauthy can do anything about. It's using the default Webauthn API, which is defined in stabled RFCs and is working just fine. The prompt will look different on different browsers (of course), but that's about it. It's working fine everywhere, as long as your setup it correct.

When I enable MFA on Firefox, I get prompt "touch your security key", which I don't have.

When you don't have a key, of course it's not possible to add a Passkey.

[sebadob]

The issue with the prompt: I have no security device like fingerprint reader. It is a PC with mouse, keyboard and no additional input devices.

But you are trying to register a passkey there. Your screenshot looks like expected. When you don't have a Passkey in whatever form (hard- or software), what are you trying to add there?

When I tried Chrome, I had no problem with configuring MFA.

But when you don't have a passkey, I guess Chrome is simulating one in software under the hood which would be quite a big issue and does not really boost your security at all. If that's the case by now (I never use Chrome, don't know if it does it these days), then Google owns your passkey. FYI if Chrome does this, this is NOT normal behavior, and probably an attempt from Google to collect users credentials. In this case, if your Chrome (and simulated passkeys) is not synced over all your devices, I guess you will only be able to log in on this single device as well.

Edit:

Btw Firefox (and some others too) fall back to the USB Key message when they don't find any other keys like e.g. simulated ones from Password Managers or the OS.

[kulak]

But when you don't have a passkey, I guess Chrome is simulating one in software under the hood which would be quite a big issue and does not really boost your security at all. If that's the case by now (I never use Chrome, don't know if it does it these days), then Google owns your passkey. FYI if Chrome does this, this is NOT normal behavior, and probably an attempt from Google to collect users credentials. In this case, if your Chrome (and simulated passkeys) is not synced over all your devices, I guess you will only be able to log in on this single device as well.

Confirmation of your statement. The following is a screenshot for Chrome.

[kulak]

Btw Firefox (and some others too) fall back to the USB Key message when they don't find any other keys like e.g. simulated ones from Password Managers or the OS.

I did not observe this behavior. If I did, I would not try Chrome. On my Firefox screenshot, there is only Cancel button option.

I don't know if it is my environment configuration or general Firefox behaior on Linux.

[kulak]

When you don't have a Passkey in whatever form (hard- or software)

Perhaps, I am missing something fundamental here.

Am I expected to have a secret storage software (insert name, I don't know) that integrages with web browser and passes to it a generated passkey? What would that software be on Linux?

[sebadob]

Firefox behaves "normal", Chrome does not, somewhat. I think Firerfox is developing an internal solution as well, but I am not sure if it's still experimental.

The original idea of passkeys, and also the safest option out there, are things like Yubikeys. This one e.g.: https://www.yubico.com/products/security-key/

There are quite a few different hardware keys out there. I work with Yubikeys since years and they never failed on me.

This is the safest option you can chose. If you go that route, you should have at least 2 keys. One which is your "active" key, that you can take with you for instance. The 2nd one will be registered as well and basically stay in a safe place. The thing is, when you lose or break your (hardware) passkey, you need to somehow recover your account of course, which is why I always recommend to have at least 2. The smaller "Security Key" from Yubico does everything you need in this case: FIDO 2. They are superior to passwords in every scenario.

However, after they started to become somewhat more popular, password managers started to integrate software passkeys. They do the same thing, with the only difference that they live in software. Google has them, Apple has them, basically anyone these days does. You can also create a passkey e.g. on an Android device with your fingerprint. The only problem with these is:

• Either it's a "safe" local key, stored in some TPM chip or on device only. This is good at first, but it will of course only let you in with this very device.
• Or you have them synced in some password manager like Google, Apple iCloud, or you use others (better ones) like e.g. Bitwarden. They do the same thing. Simulating a passkey in software, with the only difference that they keep them (somewhat) secure in some cloud, somehow, somewhere. And this is also the problem. You need to trust these services, which you probably do when youi use them for storing passwords anyway. In some cases, you may have stricter rules and require hardware-bound keys. This is an option that will come to Rauthy in the future as well.

This means, if you e.g. install a password manager like the Bitwarden extension in your firefox, it will be able to provide Passkey capabilities. Windows does it on OS level via "Windows Hello" or however it's called these days. Apple can do it via iCloud. For Linux on OS level, I am not aware of a native impl. If you want to keep everything local, I think KeePassXC can do all of this as well, but I never used it myself.

If you want to play around with Passkeys, and have a deeper look into what your platform supports, how it behaves, and so on, I suggest to take a look at https://webauthn.io/ .You can of course also use Rauthy to do this testing, but on webauthn.io you will see some internal details about all the supported values that your browser sends. Rauthy hides most of them for ease of use.
If you want to know more about the internals, have a look in the web for "FIDO 2", like e.g. here: https://www.yubico.com/authentication-standards/fido2/

In the end, if you really care about the most secure option, I can only highly suggest to get 2 Yubikey Secrity Keys (or similar).