Replies: 3 comments 2 replies
-
|
That is quite the rollercoaster of chained issues and PRs. (We need to reopen the issue for backup codes so thanks for digging through that) I just want to clarify a bit, you are looking for the ability to login using a link/code that is sent to your email that would count as a single factor or did you mean something else? I'm interested to hear what @james-d-elliott has to say on the topic of allowing email OTP to count as a single factor (or more). Although I suspect I already know his views on the matter; email is not sufficiently secure to count as a single factor by itself. Something you know, something you have, or something you are. Email is none of those things. You have an account on someone else's server (google, apple, proton etc.), allowing anyone with access to your mailbox the ability to login using that mailbox. Email is generally seen as half a factor, and as such its not used for anything more than verifying identity on top of existing methods (via Elevated Session). I'm not against allowing administrators to make the conscious decision to allow users to use email to login (same with password expiry). We are planning to rework the way that we handle authentication to make better use of AMRs. This would allow administrators to define what each authentication method counts for (1fa, 2fa, etc.) and what users are or aren't allowed to use. This work was partially begun with the new passkey feature. |
Beta Was this translation helpful? Give feedback.
-
Exactly this. I understand the point you make around email being effectively "half a factor" since it's an out-of-band channel accessible by multiple entities (usually) — incidentally this is the problem I have with SMS being used as a "second factor". However, I think this model breaks down in the face of password resets. An account with password-only login that can be reset by email cannot be more secure than an email-based login. I am not well versed in the security literature, but it seems to me that in a traditional password login scenario, the level of the security is the minimum between:
I think there's something to be said about a user noticing if their password has been changed on subsequent logins, but that's a separate matter from a malicious individual successfully authenticating. On this note, it's probably worth mentioning a relevant article I found: Zero Factor Authentication: A Four-Year Study of Simple Password-less Here's a choice quote from it:
For the sake of clarity: I myself am not a big fan of emailed codes/authentication links. I'm much more interested in passkeys/Webauthn, and otherwise happy with high-entropy generated passwords. However, as an admin for some services I want to share with people who I know use and forget hopelessly insecure passwords (e.g. grey-haired relatives), I consider email-based auth to be a security improvement in practice. It is also a better experience for these users. |
Beta Was this translation helpful? Give feedback.
-
|
UX for those who are less technically astute is a very good driving factor for something like this. I think that if we were to implement something like this (magic links, or otherwise) it would have to be per-user, to avoid dropping everyone's account security to that of the email account in use (only as strong as the weakest link). Currently, changing the way first factor methods work is difficult. I think we probably want to wait and gauge community interest due to the work needed for a feature like this. |
Beta Was this translation helpful? Give feedback.
-
|
I apologize in advance, This response is quite lengthy. Hopefully my opinion and the length do not discourage you from expressing your ideas and being generally involved in the community. I am generally not in favor of something like this, and unfortunately my opinion on this is very unlikely to waiver much but this isn't due to lack of consideration. I am open to changing my opinion, but effectively my opinion has grown more sure as time has passed. This idea has been formed though both anecdotal interactions with the kinds of people this is intended to affect and in measurable metrics from a large company. There are two parts to how my opinion has formed. Part 1The reasoning presented in favor of this is users who are likely to use bad passwords, and by using a magic link or other such email it is good for security as it reduces phishing viability and MFA fatigue. However the argument in my opinion is objectively flawed. An emailed magic link or OTP in an email is substantially easier to phish or exploit via fatigue. The reason it's easier to phish in this case especially in a first factor scenario is that a malicious attacker is able to trigger the email being sent at an opportune time to ask the user to provide it to them. This information, when compared to a password, is far less likely to considered a security risk as it is not universally considered bad to share email content with strangers. Would a security savvy user catch deception here? Probably. But we're not talking about security savvy users. They are the ones likely to be fooled by a well crafted deception. The reason it's easier to exploit via fatigue is directly linked to the idea of a magic link, it doesn't affect a single use code they have to manually enter or copy. The mere act of asking over and over again to authenticate could allow a person to accidentally click the link causing the authentication to go through. Part 2The direction of Authelia is changing slightly to better support emerging standards that make communication of authorization level easier and more universally understood. We're moving towards using AMR (RFC8176) as part of the Passkey changes. This will allow accurate communication to third parties how much authentication stress the session has undergone. Realistically there is not a current description of this, but it could be added for sure i.e. To me this in conjunction with part 1 is a very compelling reason to suggest this should never be a passwordless option. Realistically the answer to passwordless logins is Passkeys, and the answer to users picking bad passwords is enforced MFA. Specific Responses
Well I happen to agree with you. That's why we not only allow disabling it (will require explicitly enabling it in v5) and offer a custom URL for password resets. We would also be interested in ideas that improve this in any way.
I must admit, I did not particularly like this idea in general. I could never really pinpoint why. I had intended to reopen it but I evidently forgot. However as time has passed and some ideas you've shared my reason for disliking it has become quite clear.
Precisely. This is an important factor to remember. The users you're talking about are the ones who will also have bad security hygiene with their emails. So the problem this tries to solve is just as bad as it was before, except any protection authelia has to prevent brute forcing passwords is completely null and void (regulation). We're actively trying to devalue the power email access provides with options (see the require_second_factor option here) (and this is likely to be forced with no option to disable it in v5 especially once recovery codes are added). This unfortunately conflicts with that. This comment actually helped cement my ideas somewhat. Realistically if email can be used as a second factor or first factor, the logical outcome is that the email is the only barrier between access and no access.
The study seems very dated to me actually. It's from 2015 effectively before passkeys, but around the time of WebAuthn (in its early infancy). There is not a single mention of WebAuthn as a consideration (though it seems to hint towards FIDO1). It also talks about same passwords for differing websites and database leaks being an issue. But this is very very old and makes me seriously question the writers. Even in 2015 heavily salted and hashed passwords were a standard practice making a DB leak less problematic as the hash for the same password on two sites will not be the same even given the same algorithm and algorithm parameters. The only arguments they present against FIDO itself the lack of a clear pathway to user adoption. Well I think this has been very well solved by browser and operating system manufacturers. Ironically I feel like AlternativesI don't want to let the underlying problem go unsolved. So I have some alternative ideas that may be a better direction. I think reasonably there is a standard or two that effectively implements passwordless logins. The most widely supported one on multiple platforms natively (i.e. as part of the OS or browser) is WebAuthn Passkeys. There are many ways to interact with passkeys as well, such as with passkeys stored on phones you can interact with them over low energy bluetooth. I think we can also reasonably include OpenID Connect 1.0 Relying Party support as an answer to this. This method heavily integrates with AMR (RFC8176) allowing us to determine how well authenticated the user is from the OpenID Connet 1.0 Provider and choose if we do or do not trust their assertion. You could also leverage the free tier of Duo for this. This is probably easier than email if you ask me. A user just has to confirm authentication on their phone after using their bad (but hopefully long) passphrase. This may also be partially an answer to "how to get them to use good passwords". Ask them to use a passphrase instead, and teach them a way to remember it. An other alternative that may be possible at some time is SQRL, Though I don't see large adoption for this and I think it's not as well known, probably making it difficult for the same users. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the detailed reply James! From our discussion so far (lumping in Brynn), I get the picture we're all very much of the same mind regarding what good security is: complex passwords with MFA, passkeys and Webauthn. The tricky bit is how to handle legacy/basic methods. To try to get the most out of this discussion, I think it could be worth honing in on a problem-solving framing. I didn't want to over-emphasise my own use case here, but perhaps it's worth exploring it a bit further as an example/case-study. I've got a server where I'm selfhosting a bunch of useful services. I've had a great time with this, and having Authelia as an SSO solution has been brilliant. Some of these services deserve a robust approach to security (e.g. my code forge and headscale), while other services I don't want to be abused by public access and so a minimal level of authentication is sufficient (e.g. a pastebin). I've realised some of these are of some interest/use to friends and family, and would like it to be easy for them to use these services (even if it's easier in the long run). I don't think it will surprise anyone to hear that among friends and family, the level of technical skill/adoption varies greatly. A few have jumped on password managers/passkeys over the past few years 🎊, while others have a physical book of passwords (with missing entries) 😣, and their reaction to the "remember this password?" or (with recent platform updates) "do you want to register a passkey?" UI popping up on their phone has been "how do I dismiss this popup?". This particularly applies to those that are not particularly technical, but are extraordinarily busy. They perceive a high switching cost to adopting any new technology around something as common as logging into a website/service. So, the goal that I have is to make it possible to use these services without compromising security or usability. It's in these regards that I see emailed codes as a good fit, just as basic single-factor auth. I worry that enforcing requiring like TOTP/passkeys will result in them simply not using the service at all, which is rather counterproductive, particularly given a much lower security level is acceptable here. |
Beta Was this translation helpful? Give feedback.
-
Hello!
I've been using Authelia as the login glue with a web of self-hosted services, and it's been fantastic! I've found the standard password/2FA login works just fine for me (and anyone else with a password manager), and I'm very much looking forward to the passwordless Webauthn support in 4.39.
However, there are a few services I run where I want to give somebody access who doesn't use a password manager who is prone to:
While I'd love these people to either use passkeys and/or a password manager, this is an uphill battle. I've set the minimum password length to 12, but observationally this has just caused annoyance and things like padding with periods 😒.
For these situations, it would be ideal if Authelia could support email-based passwordless login, where either an OTP code is sent or a login-link is generated and sent (or both in one email!). This improves ease of use and security for these users (both in terms of these users no longer setting insecure passwords, and also reduced security fatigue/phishing susceptibility).
I see this originally came up in #2783 which was closed in favor of #2035. While #2035 was resolved through #3801 + #6332, the email-based login articulated in #2783 was not part of the final design/PRs. More recently this came up in #4619 (reply in thread).
I imagine the login UI (currently: username + password fields) will be restructured a bit with the impending Webauthn work, given the current support for emailing OTP codes for security elevation I'm tentatively hopeful it wouldn't be much work to support this workflow.
I'm not sure choosing this method should best be managed, but one thought that occurs to me is that this could be the main authentication method if the password is unset/the empty string (assuming Authelia can check for this?). Maybe there's a better method, this is just a quick thought I had.
Beta Was this translation helpful? Give feedback.
All reactions