Webauthn authentication (passkeys, security keys)

jfroy · July 11, 2022, 10:45pm

Support Webauthn authentication in the frontend. This will allow use of hardware security keys as well as passkeys. Ideally this should be offered as an alternative to a password, instead of as an MFA method.

the-mentor · October 17, 2022, 3:29pm

+1 this would be really awesome!!

pOpY · May 5, 2023, 8:02pm

+1 on this. Google supporting passkeys since a few days official.

Pittermaennchen · May 7, 2023, 8:16am

+1 I hope to increase security

gabichan · August 1, 2023, 11:37pm

+1 it’s mandatory

tobiasold · August 27, 2023, 1:43pm

would be great to get this feature available. Thanks in advanced for taking care about.

aaroneisele55 · August 27, 2023, 2:07pm

This could greatly increase login security for HA Servers that are exposed to the internet, as these already have HTTPS in most cases, it could either be used as MFA/2FA module (username+password+security key) or one could use it as a replacement for usernames/passwords by taking advantage of the new Passkey standard that the current versions of Android, Windows 11 and (AFAIK) all Apple OSes have built-in

dickey · August 27, 2023, 6:27pm

+1 would be very helpful

dominik4545 · September 17, 2023, 1:21pm

+1 would also like to see passkeys in HomeAssistant

spitf1r3 · September 26, 2023, 6:39pm

I think it would be ideal to do either/both. Sometimes it is useful to be able to fall back to username+password+TOTP

NathanCu · November 3, 2023, 12:19pm

I have no idea how I missed ths one.

ABSOLUTELY and with high priority.

Every system that exposes an end user login on the Internet needs to work towards passkey auth. Full stop.

Today is Nov 3. Microsoft just released passkey auth in win11 so I can already log in to 5/9 of my daily driver websites with a passkey. Two of those I can’t are this community website and my HA install. That needs to change.

danielperna84 · November 3, 2023, 2:46pm

At least here you can link your community-account to your GitHub account. And GitHub supports WebAuthn for a while. So one less where you can’t login with SSO.

NathanCu · November 3, 2023, 2:54pm

That’s good to know! I generally don’t use federated auth to login like that. But for this one I’d make an exception.

ssancese · November 3, 2023, 9:55pm

+1 on that, yeah!

olibos · November 8, 2023, 8:14am

+1
Bitwarden also support passkey storage.
Supported in Vaultwarden 1.30.0 and soon in GitHub - hassio-addons/addon-bitwarden: Vaultwarden (Bitwarden) - Home Assistant Community Add-ons

webzit · November 17, 2023, 4:29pm

+1

I have installed oauth2proxy with keycloak as access security service, which works fine. Unfortunately, HA’s in-app browser does not allow WebAuthn (Passkeys). It would be great if the in-app browser in iOS would allow WebAuthn requests.

p-s · November 18, 2023, 3:55pm

+1
I would love this.

DCSBL · November 20, 2023, 1:26pm

I have been playing with passkeys inside Home Assistant this weekend and it seems not that hard to implement. But can’t do this alone.

First of all, I’ve opened an discussion at Add Passkey as alternative authentication method · home-assistant/architecture · Discussion #1001 · GitHub, but discussions are not feature requests. Then I found this topic .

Also: I actually have no idea what I am doing. I would be the last to ask about security and authentication. But I love to learn new things and see how it works. That’s why I looked up “How to implement passkeys” and get to work.
It would be cool to have this added, but this would be a bit to big of a project for ‘just me’. And I am sure there are quite some ideas already.

Is it possible?

My preliminary answer is yes, of course. Here are my findings:

Implementing the frontend on the web is possible. I’ve tested generating keys, and it works nicely.
- I’ve used the example code from GoogleChromeLabs/passkeys-demo and some documentation from https://webauthn.io and integrated it into Home Assistant.
Implementing this in the apps should be possible, but it’s unknown how difficult it would be.
The backend uses Python, and there is a well-maintained Python library that can be used. I’ve tested this, and it works as expected.

What have I done so far.

See the PR below. I’ve added the minimum to allow generating passkeys. I’ve hacked in without known what I actually knowing what I am doing just to get it to work.

So, if you have any ideas or know where to help, feel free to ping me!

github.com/DCSBL/core

Add bare-minimum to generate and store passkey

DCSBL:dev ← DCSBL:passkey-poc

opened 11:42AM - 19 Nov 23 UTC

DCSBL

+745 -2

This PR is opened to allow code-discussion. Change are _way_ to dirty and prelim…inary to be seen in @home-assistant/core. Follow the discussion here: https://community.home-assistant.io/t/webauthn-authentication-passkeys-security-keys/439166/17 ## How to use - Setup development environment for [core](https://developers.home-assistant.io/docs/development_environment) and [frontend](https://developers.home-assistant.io/docs/frontend/development/) - Apply latest patch to frontend: [passkey-frontend.patch](https://github.com/DCSBL/core/blob/passkey-poc/passkey-frontend.patch) - Go to 'Profile' and git 'Add passkey' - Respond to passkey promt - Passkey should be stored in `config/.storage/auth_provider.webauthn` - Add `webauthn` as auth provider → https://www.home-assistant.io/docs/authentication/providers/ - Sign out, try to sign in using your passkey - This fails, but it is something. That's it, nothing else is possible at the moment.

Edit: Due some personal events I am unable to continue this project in the near future. Feel free to pick where I left.

nwgat · March 14, 2024, 7:29pm

i also agree that passkeys is the way to go, all the major browsers support it, btw DCSBL good to see there is some preliminary work that has been done

vitalii.martyniak · July 28, 2024, 10:27am

@DCSBL inspired your MR, I’m trying to bring that feature).

Add webauthn auth provider by VDigitall · Pull Request #122725 · home-assistant/core · GitHub
Add webauthn auth provider UI components by VDigitall · Pull Request #21485 · home-assistant/frontend · GitHub