undefined | Better HN

0 pointsu801e2y ago0 comments

But they're not application level protocol agnostic. Based on my understanding, they require use of HTTP. If I want to get MFA using an email client communicating via SMTP and IMAP, then the email client needs to be able to interact with the HTTP API.

0 comments

acdha2y ago

You can use FIDO tokens for other protocols: I use it for SSH, for example since OpenSSH 8.2 or so.

u801eOP2y ago

That requires the client to implement FIDO support. This was added to openssh 8.2p1. For example, mutt doesn't have FIDO support and you have to use an external script for oauth2 support. Both require implementing support for interacting with a HTTP API (which is not application level protocol agnostic).

On the other hand, you can configure mutt to use a client side TLS certificate and SMTP servers (e.g., postfix) and IMAP servers (e.g. dovecot) both support client side TLS certificates without having to support sending HTTP requests or parsing HTTP responses.

acdha2y ago

It’s not HTTP - the design uses a much smaller binary protocol (hardware tokens are very constrained) called CTAP:

https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-cl...

OpenSSH uses that protocol to request encryption operations. Mutt could do that the same way but it’d need a server which supports the same crypto algorithm FIDO2 specifies. That’d be great but also somewhat pointless if you’re using Yubikeys which support x509 auth which IMAP and SMTP have supported for decades.

j / k navigate · click thread line to collapse

0 comments

acdha2y ago

You can use FIDO tokens for other protocols: I use it for SSH, for example since OpenSSH 8.2 or so.

u801eOP2y ago

acdha2y ago

It’s not HTTP - the design uses a much smaller binary protocol (hardware tokens are very constrained) called CTAP:

https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-cl...

j / k navigate · click thread line to collapse