U2F fido alliance

Have a great idea for extending Zimbra? Share ideas, ask questions, contribute, and get feedback.
Post Reply
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

U2F fido alliance

Post by JDunphy »

Does anyone know if Zimbra will support U2F or better yet FIDO 2 from the Fido alliance as one of the second factors at some point? I have a co-op student building us cheap u2f tokens for approx $4 each based on the u2fzero project and we are close to finished on the hardware side for her project. I still need to modify the code for some features we require and started to look into zimbra and what it would take. Anyone have anything to add on the difficulty of adding additional 2nd factors?... I saw the /opt/zimbra/docs/twofactorauth.md which is my starting point. Just curious if there is even a desire for this from the community???

For those that don't know, most browsers with the exception of safar now have native U2F support. The U2Fzero project uses a hardware secure enclave (ATECC508A) and is fairly immune to attacks even on machines with keyloggers and other malware installed.

Ref: ATECC508A and http://ww1.microchip.com/downloads/en/D ... 05927A.pdf
krapula
Posts: 1
Joined: Sun Mar 24, 2019 6:39 pm

Re: U2F fido alliance

Post by krapula »

Native U2F or FIDO2 support would be nice, but while waiting for it you can achieve this with an SAML 2.0 IDP which supports them. For example RCDevs OpenOTP works fine, it's a commercial product but the freeware edition works for up to 40 users.

Unfortunately even with compatible IDP, Zimbra SAML support seems very limited. Only IDP initiated SAML workflow is supported, but that is better than nothing.
Post Reply