U2F extension for palemoon

Support and discussions for the x86/x64 Linux version of Pale Moon.

Moderators: trava90, satrow

Post Reply
Peregrine
Apollo supporter
Apollo supporter
Posts: 45
Joined: 2015-10-26, 08:39
Location: planet earth, orion arm, milky way, the universe

U2F extension for palemoon

Post by Peregrine » 2019-06-29, 17:01

Hey guys,

I've been reading up on U2F / 2FA.
On one side, I'd like to add the 2FA package to the TAZ distro (i.e. to help secure Google accounts better; note I don't mean phone-based systems (already covered at https://forum.palemoon.org/viewtopic.php?f=4&t=19740), I only mean adding another layer of security through a usb device), but on another side, I'm having my considerations against it. One particularly annoying thing about it is that yubikeys (and similar) don't (easily) allow for copying the keys (probably because they feel that's "insecure"). I find this a problem as I don't want to support something that risks users being locked out of their google account, i.e. if they lost their key. I also don't even like the idea of needing another usb key at all, as it takes up one usb port, and you also need to buy another piece of hardware. The best would be a digital key you could just create and put on your own usb stick (which you might already have), but according to a Quora article "that's impossible".

Digging further, I also found there are "U2F NFC" cards/devices being developed (see https://www.pandasecurity.com/mediacent ... e-account/ ) and they're now already on the market (yubikey has them and solokey too). There's also a gentoo package (net-wireless/neard). Some NFC cards (mifare, ...) seem to be easy to copy, but I doubt these are the same cards ?

I've also looked at biometrics (sys-auth/fprintd, and media-libs/opencv + Shantnu's FaceDetect python script or something else like boltgold's Howdy or ageitgey's face_recognition) instead, but these can't be used online yet (not used by Google, ...) so that's "possibly" only useful as an alternative to the system's password. Also, since I really want to keep the distro very lean (the intent is that it fits on a cd-r; after it's finished and compressed and runs on systems with say just 750 mhz ).

What do you all think ? Should I add gentoo's 2FA package (sys-auth/pam_u2f ; see https://wiki.gentoo.org/wiki/Pam_u2f )?
And if so, what's the best option to copy the data on this (backup purposes) ?
Also, what do you guys think on the fingerprint id / facial detection id for circumventing password use on gentoo itself ?
Lastly, I also noticed that firefox didn't support 2FA untill quite recently (see https://medium.com/@nparlante/the-unoff ... 01fa5cb4da ) so I assume we would then need a palemoon extension to make that work too ?

PS: the distro still is going to be released (I now it's been going on for a while now, and we have been idle for several months -mainly due to real world circumstances-) but it is coming (we're back at it and focusing on getting the boot setups working first, and we'll then release the beta -which will at that time probably still contain quite a lot of issues, to be worked out as we go along)

Lunokhod
Fanatic
Fanatic
Posts: 130
Joined: 2017-04-20, 21:25
Contact:

Re: U2F extension for palemoon

Post by Lunokhod » 2019-06-30, 12:23

Speaking as a Pale Moon user, (don't think this is an 'official' answer :D ) it occurred to me biometric recognition is most useful for identifying if a person is who they claim to be when they are physically present. If you take a say a fingerprint and turn it into a dataset that is used remotely then it could be captured and recreated, or possibly taken from a photo. And if someone pwns your fingerprint how do you change it for a new one? Possibly it could be used locally to generate encrypted passwords that are then used online, although even then if you have this single unchanging ID then malware could compromise it. But passwords, especially those that are memorable and easily typed, are also potentially insecure, increasingly so as computers get faster, and it would be easier to have some simple thing where you don't have to type in a password every time. What about a transponder with a code on it? I guess some of the key solutions are similar to that idea anyway, I hadn't heard of that before, interesting.

Peregrine
Apollo supporter
Apollo supporter
Posts: 45
Joined: 2015-10-26, 08:39
Location: planet earth, orion arm, milky way, the universe

Re: U2F extension for palemoon

Post by Peregrine » 2019-07-01, 07:27

Hey vingtzwanzig,

The biometrics were just an additional question, the most important one was the question about whether or not to implement u2f and how we can backup the u2f device. Personally, I'd prefer some way that allows using a regular usb stick (but not at all sure that's possible) -I mainly got the idea after reading up on the u2f-zero project (see https://github.com/conorpp/u2f-zero/wiki , it's the same guy which is now making the Solokey) and from software tools for making "usb unlock keys" (see https://www.makeuseof.com/tag/3-tools-t ... ck-key-pc/ ), but that's different from u2f and u2f is really needed to allow using it online with google accounts. Personally, I don't even think it really needs to be true u2f, but rather something which connects to google using "u2f", but it can be as simple as an extra password stored in sha-256 or something. Basically, I'd just want to add an extra password to increase security online, so you use 2 passwords rather than just one.

Anyway, for the biometrics (fingerprint):
this doesn't need to be "uber-secure", just faster to use and more secure than a simple password that gets typed in/set at boot (any password can be set so even a password as short as one letter). Remember that its just to secure the root account of the pc btw, it's not going to be used online. Also, as the password is set at every boot, any password you typed in last time will be erased and you can use a new one every day (if you want to). But as said, even one letter is sufficient for the password, and most will probably use the same password every day, so depending on the user it can still be quite insecure.

Post Reply