Bug 8043 - FIDO/U2F/Security key authentication support
Summary: FIDO/U2F/Security key authentication support
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Other (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: MediumPrio
Assignee: Bugzilla mail exporter
Depends on:
Reported: 2022-12-09 14:25 CET by Pierre Ossman
Modified: 2023-11-10 08:15 CET (History)
3 users (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2022-12-09 14:25:49 CET
Using OTP for MFA is not considered secure enough by some users, as it is vulnerable to various phishing attacks. I.e. where the user is tricked in to giving up their (temporary) code to the attacker, which can then use the code to impersonate the user.

Other MFA methods are more resilient against this, usually because they use some form of strong cryptography that isn't as easily intercepted and tricked. We already support smart cards and SSH public keys¹ that qualify for this.

¹ Although it is difficult to enforce good private key policy, like password protection

Another commonly used system is FIDO/U2F/FIDO2, which users would like to be able to use with ThinLinc. Fortunately, OpenSSH already has support for these, so it should hopefully be possible to integrate with ThinLinc.
Comment 1 Pierre Ossman cendio 2022-12-09 14:26:31 CET
Note that ThinLinc's dual authentication architecture (bug 2545) might cause some headaches here.
Comment 2 Pierre Ossman cendio 2022-12-09 14:27:58 CET
The American federal government are trying to enforce a requirement of phishing resistant MFA on their agencies:


They seem to prefer their smart cards (PIV), but FIDO2 seems to be the prominent alternative.

Note You need to log in before you can comment on or make changes to this bug.