Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Gonzalo
    @grzuy

    Hi Bart,

    What is that you were trying to do in the Demo app?

    Bart de Water
    @bdewater
    Showing how to implement my metadata PR
    Gonzalo
    @grzuy

    Showing how to implement my metadata PR

    Great!

    Bart de Water
    @bdewater
    pushed some stuff up. needs some more testing and polishing but the complete idea should be pretty clear at this point. LMK what you think :D
    Braulio Martinez
    @brauliomartinezlm
    @bdewater wanted to share with you that we're going to be giving a talk about WebAuthn in NYC.rb on Nov 13th and a shorter version of it in Boston Ruby meetup on Nov 12th :rocket:
    I know you're not close from there but wanted to let you know just in case you happen to be around at that time of the year or if you anyone you know might be interested in the topic and would like to hear about it :smile:
    We're right now against the clock with Gonzalo trying to get our slides done haha
    Bart de Water
    @bdewater
    that's awesome! :raised_hands:
    Bart de Water
    @bdewater

    I'm not around unfortunately, and 5-6 hours is a bit far to drive for a regular weekday haha. Best of luck with the slides! I'll make sure to tell our NY-based folks.

    I'm planning a WebAuthn talk for Ottawa.rb in January myself :grin:

    Braulio Martinez
    @brauliomartinezlm
    Yeah, it’s a long ride. Thank you and thank you for spreading the word.
    Oh great to hear you plan to speak there! :rocket:
    Gonzalo
    @grzuy

    I'm not around unfortunately, and 5-6 hours is a bit far to drive for a regular weekday haha. Best of luck with the slides! I'll make sure to tell our NY-based folks.

    I'm planning a WebAuthn talk for Ottawa.rb in January myself :grin:

    Awesome! :clap:

    Gonzalo
    @grzuy
    Hi @bdewater , we've been working lately with @padulafacundo on Attestation support and he wasn't able to find any of the Yubico keys listed as authenticators on the FIDO metadata service? Did you experienced the same when you were playing with that?
    Bart de Water
    @bdewater

    Hi @grzuy that's correct - we've been in touch Yubico about a couple of things and among others they recommended we require attestation during our registration flow. I've asked them why since they don't publish to the FIDO MDS, to my knowledge to don't even self-publish metadata. Best I could find was https://developers.yubico.com/U2F/Attestation_and_Metadata/ for U2F. Long story short, as long as we employ WebAuthn for 2FA only we don't see the added value at Shopify, but for a potential usernameless & passwordless flow we see the potential for metadata to safeguard users from compromised authenticators similar to HaveIBeenPwned for passwords. I haven't heard back from them yet, but at the moment the MDS does not feels not very useful.

    SoloKeys self publishes over at https://github.com/solokeys/solo/tree/master/metadata - according to solokeys/solo#89 publishing on the MDS was too expensive for them, but that can't be a problem for Yubico

    for https://github.com/cedarcode/webauthn-ruby/pull/208#issuecomment-551920674 btw, might be best if you rebase that branch and amend the commit that introduced the zipfile to remove it, so it doesn't end up in master's git history. better safe than sorry and all that :)
    Bart de Water
    @bdewater
    I just head WebAuthn works for us in the newest iOS beta if you toggle the feature flag on :)
    Braulio Martinez
    @brauliomartinezlm
    :scream: great news!
    I'll have to change my slides for tonight :P
    Bart de Water
    @bdewater
    haha! good luck :D
    also finished extracting the metadata client: https://github.com/bdewater/fido_metadata
    Braulio Martinez
    @brauliomartinezlm

    also finished extracting the metadata client: https://github.com/bdewater/fido_metadata

    This is awesome :rocket: !!!!

    how did the presentation go? :)
    Braulio Martinez
    @brauliomartinezlm
    It was awesome, both in Boston yesterday and today in NY. People get really amazed and curious about it, ask good questions, come to us after the talk to know more. Truly a great experience for us. I'll send you our slides in an email for you to give us feedback if you want :). Feel free of course to take idea or use things if you got for it in Ottawa.rb

    https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_3_beta_2_release_notes is the changelog btw

    Nice, we were actually talking about that yesterday with Gonzalo :muscle: I think he saw it on Twitter yesterday

    also finished extracting the metadata client: https://github.com/bdewater/fido_metadata

    Thank you, nice work!

    haha! good luck :D

    Thank you very much! It went well. We got lot of positive feedback.
    People gets excited about WebAuthn which is cool.

    Bart de Water
    @bdewater
    I'm a bit frustrated with how conformance tool issues are handled. Either problems are ignored for months or straight closed because the issue is not understood well :/
    Bart de Water
    @bdewater
    Gonzalo
    @grzuy

    I'm a bit frustrated with how conformance tool issues are handled. Either problems are ignored for months or straight closed because the issue is not understood well :/

    Bummer :-/

    callags
    @callags
    Hi All, I was invited to this gitter chat from Gonzalo earlier today. I was hoping to find some sort of walk-through guide or video on how to setup the Webauthn from your github page.
    Gonzalo
    @grzuy
    Hi @callags , welcome!
    Are you trying to add WebAuthn authentication to a Rails application?
    If so, are you trying to add it as a 2nd factor? I.e. this would be 2nd step after password authentication?
    callags
    @callags

    Yes, I would like this to work in hand with an admin account. The idea is that I would first sign in with username and password, followed by inserting a Yubikey as a multifactor sign in process.

    Now I did have this originally using devise-u2f gem, but since Microsoft only allowed Webauthn authentication through Windows 10, I've been forced to look at different solutions. I did email the guy who was running the devise-webauthn gem if he had a working version. However, he said he was caught up with other projects that he didn't know when he would get around to it. Which was what lead me to the webauthn-ruby gem since you guys had a really cool working demo.

    the admin account is built using the devise gem, incase that helps
    Gonzalo
    @grzuy

    Hi @callags ,

    There a bunch of WebAuthn tutorials in https://github.com/herrjemand/awesome-webauthn#resources. From that you can learn how WebAuthn works, what goes on the frontend and on the backend. Once you're ready to code the backend side, you can see https://github.com/cedarcode/webauthn-rails-demo-app to have as a reference implementation.

    Gonzalo
    @grzuy
    @bdewater Forgot to ask how did the WebAuthn talk in Ottawa.rb went?
    Bart de Water
    @bdewater
    it went well! thanks for asking :) after my talk (about 35 mins) we had another free form Q&A/discussion for another half hour, it was a very engaged audience. now that I'm back from travel to the Netherlands I'll submit it to Montreal.rb as well
    Gonzalo
    @grzuy
    Very nice!
    Braulio submitted for RailsConf yesterday. We'll see if it gets selected :-)
    Gonzalo
    @grzuy
    Bart de Water
    @bdewater
    I'll keep my fingers crossed for you Braulio! I submitted a talk to RubyKaigi but it did not get accepted unfortunately
    Braulio Martinez
    @brauliomartinezlm
    Thank you Bart! Lets hope they accept it, but there are 443 so it will be hard as well. Sorry to hear about RubyKaigi, I'm sure you'll get another shot!
    Bart de Water
    @bdewater

    In one of the PRs for attestation I argued for being able to inject Time objects as a dependency so you could easily later re-verify attestation statements to see if authenticators are still reliable. Today I saw an article about Intel TPM flaws which illustrate why I feel it's a legit use case that ought to be supported :) https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html

    doesn't need to be part of #304 which big enough as it is I think. Trying to find some time soon to test it by resurrecting https://github.com/cedarcode/webauthn-rails-demo-app/pull/113/

    Gonzalo
    @grzuy
    Hi @bdewater , sounds good to me. As long as we have the default being the current time we should be good.
    Bart de Water
    @bdewater

    congrats in finalizing the MDS work Gonzalo! have you submitted the test results using the conformance tool? :)

    hope y'all are staying safe in these weird times

    Braulio Martinez
    @brauliomartinezlm
    Hi @bdewater ! We have gone full home remote for a while to stay inside, as most software companies. We're all good so far, thanks caring and for sending good vibes. I hope you and the Shopify crew are doing great and staying safe as well.