Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add WebAuthn documentation #870

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add WebAuthn documentation #870

wants to merge 6 commits into from

Conversation

emlun
Copy link
Member

@emlun emlun commented Jul 21, 2024

Documentation for syncthing/syncthing#9175.

@emlun emlun requested review from tomasz1986 and acolomb July 21, 2024 14:46
@emlun emlun mentioned this pull request Jul 21, 2024
Open
10 tasks
rasa
rasa reviewed Jul 22, 2024
View reviewed changes
users/config.rst Outdated Show resolved Hide resolved
rasa
rasa reviewed Jul 22, 2024
View reviewed changes
users/config.rst Outdated Show resolved Hide resolved
rasa
rasa reviewed Jul 22, 2024
View reviewed changes
users/webauthn.rst Outdated Show resolved Hide resolved
@emlun
Copy link
Member Author

emlun commented Jul 27, 2024

Added a section on the "2FA" setting (renamed from "Require UV") covering most of what I laid out in syncthing/syncthing#9175 (comment).

imsodin
imsodin reviewed Aug 1, 2024
View reviewed changes
rest/webauthn.rst Outdated Show resolved Hide resolved
users/webauthn.rst Outdated Show resolved Hide resolved
rasa
rasa reviewed Aug 13, 2024
View reviewed changes
users/webauthn.rst
A credential is a public-private key pair stored either on an external security key,
or a `platform credential` stored on your computer or phone.
A credential is a public-private key pair that is stored on an `authenticator`,
which could be an external security key, a smartphone, or built into your computer.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
which could be an external security key, a smartphone, or built into your computer.
which could be a smart device (such as a phone, tablet, or watch), a dedicated hardware security key (such as a YubiKey), or built right into your computer.

"security key" might be too vague to the uninitiated, and aren't they all external?

rasa
rasa reviewed Aug 13, 2024
View reviewed changes
users/webauthn.rst
We therefore sometimes refer to WebAuthn credentials in Syncthing as "passkeys",
because they enable most of the same UI flows as passkeys,
even though they do not consume storage space on external security keys like passkeys usually do.
even though they do not consume storage space on external security keys like passkeys generally do.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
even though they do not consume storage space on external security keys like passkeys generally do.
even though they do not consume storage space on hardware security keys like passkeys generally do.

rasa
rasa reviewed Aug 13, 2024
View reviewed changes
users/webauthn.rst
but with credentials that do not need to consume storage space.
A "passkey" is a credential that enables "username-less login",
which identifies the user automatically without needing them to enter a username first.
For technical reasons, this is incompatible with a cryptographic trick commonly used by external security keys
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For technical reasons, this is incompatible with a cryptographic trick commonly used by external security keys
For technical reasons, this is incompatible with a cryptographic trick commonly used by hardware security keys

rasa
rasa reviewed Aug 13, 2024
View reviewed changes
users/webauthn.rst
@@ -45,7 +44,8 @@ For example:

- If the credential is stored on a smartphone,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these paragraphs refer to "smart devices, or your PC"? Since it's just an example, probably not.

rasa
rasa reviewed Aug 13, 2024
View reviewed changes
users/webauthn.rst
For hostnames other than ``localhost`` you will also need an HTTPS certificate your browser considers valid.
For guidance on how to create or obtain one, see for example
`OpenSSL Cookbook <https://www.feistyduck.com/library/openssl-cookbook/online/>`_
or `Let's Encrypt <https://letsencrypt.org/getting-started/>`_.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about adding:

To create locally trusted HTTPS certificates on the command-line see
mkcert <https://github.com/FiloSottile/mkcert>_.

@acolomb
Copy link
Member

acolomb commented Aug 17, 2024

For the record, I'd like some time to review this as well before someone merges it. Just waiting for the main PR to settle down a bit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imsodin imsodin imsodin left review comments

@rasa rasa rasa left review comments

@tomasz1986 tomasz1986 Awaiting requested review from tomasz1986

@acolomb acolomb Awaiting requested review from acolomb

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@emlun @acolomb @rasa @imsodin