Add info about FIDO2/WebAuthn

Dieser Commit ist enthalten in:
andryyy 2020-11-14 19:18:04 +01:00
Ursprung 08283bab35
Commit 9dacef6c9a
2 geänderte Dateien mit 16 neuen und 0 gelöschten Zeilen

15
docs/model-fido2.md Normale Datei
Datei anzeigen

@ -0,0 +1,15 @@
## How is UV handled in mailcow?
The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey).
## Login and key processing
mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory.
A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login.
When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory.
## Who can use WebAuthn to login to mailcow?
As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2.

Datei anzeigen

@ -44,6 +44,7 @@ nav:
- 'Sender and receiver model': 'model-sender_rcv.md' - 'Sender and receiver model': 'model-sender_rcv.md'
- 'ACL': 'model-acl.md' - 'ACL': 'model-acl.md'
- 'Password hashing': 'model-passwd.md' - 'Password hashing': 'model-passwd.md'
- 'WebAuthn / FIDO2': 'model-fido2.md'
- 'Debugging & Troubleshooting': - 'Debugging & Troubleshooting':
- 'Introduction': debug.md - 'Introduction': debug.md
- 'Logs': 'debug-logs.md' - 'Logs': 'debug-logs.md'