WebAuthnのソースを表示

[[Category:認証]]
[[en:WebAuthn]]
{{Related articles start}}
{{Related|Universal 2nd Factor}}
{{Related|セキュリティ}}
{{Related articles end}}

[[Wikipedia:WebAuthn|Web Authentication (WebAuthn)]] is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. 

Similar to legacy U2F, Web Authentication is resilient to verifier impersonation, that is, it is resistant to active man-in-the-middle-attacks, but unlike U2F, WebAuthn does not require a traditional password. Moreover, a roaming hardware authenticator is resistant to malware since the private key material is at no time accessible to software running on the host machine.

== FIDO2 vs U2F ==

FIDO2 is the successor of the FIDO Universal 2nd Factor [[U2F]] legacy protocol. FIDO2 authentication has all the advantages of U2F—the primary difference is that a FIDO2 authenticator can also be a single-factor (passwordless) authenticator. The U2F protocol is designed to act as a second factor to strengthen existing username/password-based login flows.

== Authentication for websites ==

WebAuthn/FIDO2 is supported by major sites like Google, Facebook, Twitter, or GitHub. See https://www.dongleauth.com/ to find other websites and links to setup documentation. 

For all browsers which support it, likely the only action required is to install {{Pkg|libfido2}}. Modern browsers like Firefox and Chromium support WebAuthn authentication.

For a demo site to test the WebAuthn authentication process, see https://webauthn.io/.

== Local Linux authentication (PAM) ==

For using U2F authentication see [[U2F]].

=== Using a FIDO2 authenticator for local login ===

The FIDO2 specification includes an extension called HMAC Secret Extension (hmac-secret), which allows the secure use of a shared secret stored on the authenticator for local authentication.

One of the easiest ways to setup the local authentication process with FIDO2 is through the use of 
[[systemd-homed]] and the setup options of [[systemd-homed#Setup user with FIDO2 hmac-secret for authentication and encryption|homectl]].

== See also ==

* https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html
* https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension