Add info about FIDO2/WebAuthn
Dieser Commit ist enthalten in:
Ursprung
08283bab35
Commit
9dacef6c9a
2 geänderte Dateien mit 16 neuen und 0 gelöschten Zeilen
15
docs/model-fido2.md
Normale Datei
15
docs/model-fido2.md
Normale Datei
|
@ -0,0 +1,15 @@
|
||||||
|
## How is UV handled in mailcow?
|
||||||
|
|
||||||
|
The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey).
|
||||||
|
|
||||||
|
## Login and key processing
|
||||||
|
|
||||||
|
mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory.
|
||||||
|
|
||||||
|
A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login.
|
||||||
|
|
||||||
|
When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory.
|
||||||
|
|
||||||
|
## Who can use WebAuthn to login to mailcow?
|
||||||
|
|
||||||
|
As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2.
|
|
@ -44,6 +44,7 @@ nav:
|
||||||
- 'Sender and receiver model': 'model-sender_rcv.md'
|
- 'Sender and receiver model': 'model-sender_rcv.md'
|
||||||
- 'ACL': 'model-acl.md'
|
- 'ACL': 'model-acl.md'
|
||||||
- 'Password hashing': 'model-passwd.md'
|
- 'Password hashing': 'model-passwd.md'
|
||||||
|
- 'WebAuthn / FIDO2': 'model-fido2.md'
|
||||||
- 'Debugging & Troubleshooting':
|
- 'Debugging & Troubleshooting':
|
||||||
- 'Introduction': debug.md
|
- 'Introduction': debug.md
|
||||||
- 'Logs': 'debug-logs.md'
|
- 'Logs': 'debug-logs.md'
|
||||||
|
|
Laden …
In neuem Issue referenzieren