nickslowinski/mailcow-dockerized-docs
1
0
Fork 0
Code Issues Pull-Requests Projekte Releases Pakete Wiki Aktivität

[WebAuthn] Added article to clarify about Vendor CA

Quellcode durchsuchen
Dieser Commit ist enthalten in:
Niklas Meyer 2022-01-20 15:57:35 +01:00 committet von GitHub
Ursprung c353558af5
Commit 095fe20e34
Es konnte kein GPG-SchlĂĽssel zu dieser Signatur gefunden werden
GPG-SchlĂĽssel-ID: 4AEE18F83AFDEB23
1 geänderte Dateien mit 15 neuen und 0 gelöschten Zeilen
Statistiken anzeigen Patch-Datei herunterladen Diff-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

15
docs/u_e-mailcow_ui-tfa.md
Datei anzeigen

@ -37,6 +37,8 @@ Finally, enter your current account password and, after selecting the `Touch Yub
Congratulations! You can now log in to the mailcow UI using your YubiKey!
---
## WebAuthn (U2F, replacement)
> :warning: **Since February 2022 Google Chrome has discarded support for U2F and standardized the use of WebAuthn.<br>**
> *The WebAuthn (U2F removal) is part of mailcow since 21th January 2022, so if you want to use the Key past February 2022 please consider a update with the `update.sh` script.*
@ -78,6 +80,17 @@ To enable this feature, change the value `WEBAUTHN_ONLY_TRUSTED_VENDORS` in mail
The mailcow will now use the Vendor Certificates located in your mailcow directory under `data/web/inc/lib/WebAuthn/rootCertificates`.
### Is it dangerous to keep the Vendor Check disabled?
No, it isn´t!
These vendor certificates are only used to verify original hardware, not to secure the registration process.
As you can read in these articles, the deactivation is not software security related:
- [https://developers.yubico.com/U2F/Attestation_and_Metadata/](https://developers.yubico.com/U2F/Attestation_and_Metadata/)
- [https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651](https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651)
- [https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01](https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01)
In the end, however, it is of course your decision to leave this check disabled or enabled.
##### Example:
If you want to limit the official Vendor devices to Apple only you only need the Apple Vendor Certificate inside the `data/web/inc/lib/WebAuthn/rootCertificates`.
After you deleted all other certs you now only can activate WebAuthn 2FA with Apple devices.
@ -91,6 +104,8 @@ Just copy the certificate into the `data/web/inc/lib/WebAuthn/rootCertificates`
Now you should be able to register this device as well, even though the verification for the vendor certificates is enabled, since you just added the certificate manually.
---
## TOTP
The best known TFA method mostly used with a smartphone.