Merge pull request #287 from maxileith/master

Updated the browsers that support U2F
Dieser Commit ist enthalten in:
Peter 2021-06-19 21:38:49 +02:00 committet von GitHub
Commit f011af297c
Es konnte kein GPG-SchlĂĽssel zu dieser Signatur gefunden werden
GPG-SchlĂĽssel-ID: 4AEE18F83AFDEB23

Datei anzeigen

@ -1,10 +1,10 @@
So far three methods for *Two-Factor Authentication* are implemented: U2F, Yubi OTP, and TOTP So far three methods for _Two-Factor Authentication_ are implemented: U2F, Yubi OTP, and TOTP
- For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. - For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key.
- Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). - Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com).
- While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. - While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS.
- U2F and Yubi OTP support multiple keys per user. - U2F and Yubi OTP support multiple keys per user.
- As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. - As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually.
As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in. As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in.
@ -19,8 +19,22 @@ The API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are
### U2F ### U2F
Only Google Chrome (+derivatives) and Opera support U2F authentication to this day natively. To use U2F, the browser must support this standard.
Since version 67 Mozilla Firefox can handle U2F natively. ([Source](https://support.yubico.com/support/solutions/articles/15000017511-enabling-u2f-support-in-mozilla-firefox))
The following desktop browsers support this authentication type:
- Edge (>=79)
- Firefox (>=47, enabled by default since version 67)
- Chrome (>=41)
- Safari (>=13)
- Opera (40, >=42, not 41)
The following mobile browsers support this authentication type:
- Safari on iOS (>=13.3)
- Firefox on Android (>=68)
Sources: [caniuse.com](https://caniuse.com/u2f), [blog.mozilla.org](https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/)
U2F works without an internet connection. U2F works without an internet connection.