Implement Webauthn PRF to encrypt/decrypt auth credentials using an external device

[AllanOricil]

@mshanemc

Webauthn with an external device would be useful to ensure the identity of the person accessing secrets from local keychains/keystorage/vaults.

I think implementing passkey via bluetooth device could make sfdx "secure", or more secure. If a unauthorized person access my computer he/she won't be able to access the org because he/she won't have access to the device which is used for authentication.

I think this could be useful to further protect "production/full-copy" orgs. What do you think? Like I said in the beginning, this is just a hypothesis. I don't have the knowledge to say if it actually increases or not security.

Webauthn demo: https://webauthn.io/

Passkeys: https://www.passkeys.com/guides

PRF: https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension

Another demo to check if PRF is supported:
https://levischuck.com/blog/2023-02-prf-webauthn

• Orgs registered with --passkey go through the passkey multi-device flow. Users have to auth using their mobile devices before interacting with orgs in their computers.
• Orgs registered with --passkey are the only ones that go through a passkey middleware to decrypt auth info.
• Org must have MFA enabled. This would prevent an attacker to reset your password in case the computer is still logged in to the Email used to login. If someone has access to your email they can potentially change your password, but if MFA is enable they wouldn't be able to do it without the other device.
• Salesforce agents would have to be trained to ask security questions before they can help you to access your org.

sfdx command -> local passkey middleware -> salesforce

Local Passkey Middleware would do the following:

When registering an Org:

1. start the Webauthn Passskey flow via a browser to register a passkey in a Mobile device and get a PRF.
2. encrypt the auth credentials in the host using the PRF.
3. test the connection with salesforce (decrypt flow).
4. register the org locally if 3 succeeds.

When interacting with an Org:

1. start the Webauthn Passskey flow via Bluetooth with a mobile phone to get the PRF.
2. decrypt host db to get auth info using the passkey PRF.
3. forward request to salesforce using the decrypted auth info.

In both cases, if the auth credentials can't be decrypted, requests fail.

[AllanOricil]

Apparently there is currently no way to get a key when using passkey:

https://developer.apple.com/forums/thread/731512
https://security.stackexchange.com/questions/269503/security-concerns-in-using-passkey-webauthn-to-encrypt-data

This guy found a way. I will probably test it, and if it works I'm going to write a plugin to sfdx. Is there a way to write "auth middleware plugins to sfdx" ? (if not, maybe this could be a feature! Companies can setup their own auth middlewares)

https://blog.millerti.me/2023/01/22/encrypting-data-in-the-browser-using-webauthn/

I asked the blog's author if it is possible to encrypt a local db using his approach with prf

MasterKale/SimpleWebAuthn#454

[AllanOricil]

https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/kMe6Kb4GCpU?pli=1
https://bugs.chromium.org/p/chromium/issues/detail?id=1023225

[AllanOricil]

Extension that adds PRF to passkeys

https://bitwarden.com/blog/prf-webauthn-and-its-role-in-passkeys/#:~:text=When%20using%20an%20authenticator%20such,to%20that%20site%20during%20authentication.

[AllanOricil]

Currently only supported by Chrome
https://chromestatus.com/feature/5138422207348736

[AllanOricil]

More recent discussions about the implementation of PRF extension

https://groups.google.com/a/chromium.org/g/blink-dev/c/iTNOgLwD2bI

w3c/webauthn#1830

[AllanOricil]

@MasterKale @emlun this is the use case I'm thinking about MasterKale/SimpleWebAuthn#454

This cli from Salesforce stores encrypted credentials on the host and they are accessible by the current logged in user. If someone access my machine and is able to login with my user or is granted root access, this person can access all my Connected Environments. So, encrypting those credentials with PRF could protect attackers from accessing my environments through the CLI because they would not have access to my phone. My idea is to only decrypt local stored auth credentials if the passkey mobile auth flow succeeds.

Could you help me to understand what is currently limiting PRFs usage on phones?

[emlun]

Could you help me to understand what is currently limiting PRFs usage on phones?

Pending standardization (private repo, sorry) of PRF over the hybrid (cross-device QR+Bluetooth+network) transport, followed by optional implementation by platform vendors. The PRF extension does currently work with the Android platform authenticator, though, but I suppose things could in theory change as the standard is still pending. External security keys support PRF via the CTAP2 hmac-secret extension, which is standardized and stable.

Here is an example implementation of using PRF to encrypt data on the client side. The implementation is in Rust WebAssembly, but the WebAuthn and WebCrypto calls are completely analogous to doing the same things in JavaScript. I make no guarantees to the safety of the encryption architecture; please perform your own security analysis with appropriate expertise before putting any of this in a product.

[AllanOricil]

@gregwhitworth