U2F authentication with Expressive?

expressive
authentication

#1

Hi all,

I would like to know if someone already work on a integration of the FIDO U2F authentication in Expressive?
It exist a php library here (Yubico): https://github.com/Yubico/php-u2flib-server

It can be a good thing no?


#2

I only found a few implementors of the library you mentioned: https://packagist.org/packages/yubico/u2flib-server/dependents

I looked at the code, and (to this date) none of those are worth considering (seriously, NOT EVEN ONE OF THEM HAS TESTS?! 2018 people, 2018!!!). Honestly, that’s highly discouraging, especially on such security-sensitive components.

This will likely need work, but it can easily be wrapped into a PSR-15 middleware. Should I give it a stab this week? Any interest?

Or any pointers to generic 2FA support (TOTP would also fit, since Yubikeys support it via NFC) packages that can be used to wire together a middleware?

Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.com/


#3

Thanks for your answer.

I didn’t watch this server code but like you said they have some/many dependency and code are may be not so good and we talk about security…

I asked that because i use Expressive for different app (intranet/extranet) with authentication and U2F seems a good, secure and trendy option to add a security layer for authentication with a USB key or NFC.

For my part, i still wait version 1.0 of oauth2 first :wink: But in a near future 2FA layer can be a good option :slight_smile:

We can wait for another opinions… or launch a poll later maybe?