← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #57421

[Bug 1861714] [NEW] Multifactor authentication / WebAuthn support for logins

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

Securing passwords becomes more and more important these days. Often,
two-factor or multifactor authentication is used for that and requires
either an app on a phone or a YubiKey.

There is a new way that looks promising, WebAuthn https://webauthn.io :

"The Web Authentication API (also known as WebAuthn) is a specification
written by the W3C and FIDO, with the participation of Google, Mozilla,
Microsoft, Yubico, and others. The API allows servers to register and
authenticate users using public key cryptography instead of a password."
https://webauthn.guide

This could be beneficial for the internal Mahara login. If SSO requires
MFA or similar then that is handled by SSO.

** Affects: mahara
     Importance: Wishlist
         Status: Confirmed


** Tags: authentication

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1861714

Title:
  Multifactor authentication / WebAuthn support for logins

Status in Mahara:
  Confirmed

Bug description:
  Securing passwords becomes more and more important these days. Often,
  two-factor or multifactor authentication is used for that and requires
  either an app on a phone or a YubiKey.

  There is a new way that looks promising, WebAuthn https://webauthn.io
  :

  "The Web Authentication API (also known as WebAuthn) is a
  specification written by the W3C and FIDO, with the participation of
  Google, Mozilla, Microsoft, Yubico, and others. The API allows servers
  to register and authenticate users using public key cryptography
  instead of a password." https://webauthn.guide

  This could be beneficial for the internal Mahara login. If SSO
  requires MFA or similar then that is handled by SSO.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1861714/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next