Implementation of Passkeys Authentication in Directus for Enhanced Security #18755
vamsii777
announced in
Approved Requests
Replies: 2 comments 5 replies
-
Heya! Thanks for opening this feature request! This request has been fast-tracked by the Core Team, who feels it is an immediate candidate for our formal review process. This means we'll move this feature request to the Under Review category! The Core team will schedule a meeting to review this request as soon as possible. The discussion will then be approved or denied. You may or may not be invited to join this meeting with the core team. For more information, see our Feature Request Process. |
Beta Was this translation helpful? Give feedback.
5 replies
-
I provided more details in #19629 on how this can this can be implemented. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Summary
The proposal involves the integration of passkeys authentication into Directus. Passkeys are a secure, passwordless login method where each passkey acts as a unique digital key that cannot be reused. Unlike traditional passwords, passkeys are encrypted and stored on the user's devices instead of on the company's servers, providing enhanced security against data breaches. This feature will allow users to authenticate using passkeys, thereby reducing the reliance on passwords and enhancing overall account security.
Basic Example
No response
Motivation
Traditional password-based authentication has proven to be vulnerable to attacks such as data breaches and phishing. Introducing passkeys as an alternative to passwords will significantly enhance the security of the Directus platform. Passkeys, being unique digital keys stored in an encrypted format on user devices, are not easily hackable, reusable, or phishable.
Detailed Design
The passkey-based authentication system will use the WebAuthentication (WebAuthn) standard, which uses public-key cryptography. Upon user registration or opting-in for passkeys, the system will generate a pair of keys - a public key that will be stored on the Directus servers and a private key that will be stored on the user's device.
During authentication, the server will send a challenge to the user's device. The private key will be used to sign this challenge and send it back to the server, which will then verify it using the public key, thereby authenticating the user.
Here's a broad overview of what the integration might look like:
User Registration
When a user registers, along with their basic details, Directus should prompt for an additional step of passkey registration. This will involve the creation of a public-private key pair, where the private key is securely stored on the user's device and the public key is stored on the Directus server.
User Authentication
When a user tries to login, Directus should initiate a challenge-response protocol. The server sends a challenge to the user's device, which is then signed with the private key. The signed response is sent back to the server, which verifies it using the stored public key.
Support for Multiple Devices:
Users should be able to register multiple devices, each with its own public-private key pair.
Fallback Mechanism:
A fallback mechanism (like a password or OTP) should be in place in case the user loses access to their registered device(s).
Requirements List
Must have
Should have
Could have
Won't have (now)
Drawbacks
Alternatives
Adoption Strategy
This feature will be implemented as an opt-in feature, allowing users to choose whether they want to use passkeys or continue using traditional passwords. This ensures that it is not a breaking change. A comprehensive guide will be provided to help users understand the benefits and usage of passkeys.
Unresolved Questions
Beta Was this translation helpful? Give feedback.
All reactions