Webauthn authentication (passkeys, security keys)

Support Webauthn authentication in the frontend. This will allow use of hardware security keys as well as passkeys. Ideally this should be offered as an alternative to a password, instead of as an MFA method.

+1 this would be really awesome!!

5 Likes

+1 on this. Google supporting passkeys since a few days official.

3 Likes

+1 I hope to increase security

2 Likes

+1 itā€™s mandatory

4 Likes

would be great to get this feature available. Thanks in advanced for taking care about.

1 Like

This could greatly increase login security for HA Servers that are exposed to the internet, as these already have HTTPS in most cases, it could either be used as MFA/2FA module (username+password+security key) or one could use it as a replacement for usernames/passwords by taking advantage of the new Passkey standard that the current versions of Android, Windows 11 and (AFAIK) all Apple OSes have built-in

1 Like

+1 would be very helpful

1 Like

+1 would also like to see passkeys in HomeAssistant

3 Likes

I think it would be ideal to do either/both. Sometimes it is useful to be able to fall back to username+password+TOTP

2 Likes

I have no idea how I missed ths one.

ABSOLUTELY and with high priority.

Every system that exposes an end user login on the Internet needs to work towards passkey auth. Full stop.

Today is Nov 3. Microsoft just released passkey auth in win11 so I can already log in to 5/9 of my daily driver websites with a passkey. Two of those I canā€™t are this community website and my HA install. That needs to change.

2 Likes

At least here you can link your community-account to your GitHub account. And GitHub supports WebAuthn for a while. So one less where you canā€™t login with SSO.

1 Like

Thatā€™s good to know! I generally donā€™t use federated auth to login like that. But for this one Iā€™d make an exception.

+1 on that, yeah!

+1
Bitwarden also support passkey storage.
Supported in Vaultwarden 1.30.0 and soon in GitHub - hassio-addons/addon-bitwarden: Vaultwarden (Bitwarden) - Home Assistant Community Add-ons :wink:

+1

I have installed oauth2proxy with keycloak as access security service, which works fine. Unfortunately, HAā€™s in-app browser does not allow WebAuthn (Passkeys). It would be great if the in-app browser in iOS would allow WebAuthn requests.

+1
I would love this.

I have been playing with passkeys inside Home Assistant this weekend and it seems not that hard to implement. But canā€™t do this alone.

First of all, Iā€™ve opened an discussion at Add Passkey as alternative authentication method Ā· home-assistant/architecture Ā· Discussion #1001 Ā· GitHub, but discussions are not feature requests. Then I found this topic :wave:.

Also: I actually have no idea what I am doing. I would be the last to ask about security and authentication. But I love to learn new things and see how it works. Thatā€™s why I looked up ā€œHow to implement passkeysā€ and get to work.
It would be cool to have this added, but this would be a bit to big of a project for ā€˜just meā€™. And I am sure there are quite some ideas already.

Is it possible?

My preliminary answer is yes, of course. Here are my findings:

  • Implementing the frontend on the web is possible. Iā€™ve tested generating keys, and it works nicely.
  • Implementing this in the apps should be possible, but itā€™s unknown how difficult it would be.
  • The backend uses Python, and there is a well-maintained Python library that can be used. Iā€™ve tested this, and it works as expected.

What have I done so far.

See the PR below. Iā€™ve added the minimum to allow generating passkeys. Iā€™ve hacked in without known what I actually knowing what I am doing just to get it to work.

So, if you have any ideas or know where to help, feel free to ping me!

Edit: Due some personal events I am unable to continue this project in the near future. Feel free to pick where I left.

9 Likes

i also agree that passkeys is the way to go, all the major browsers support it, btw DCSBL good to see there is some preliminary work that has been done :slight_smile: