Alternate login methods

[MisterTechnik]

What about adding alternate options to log into your account, like USB Security Keys or using some third-party apps that support the use of your phone / iPad / NoteBook to let you into your account (e.g. The Google thing where you get a window on your phone to press "yes, it's me", some other also support similar, DUO Mobile maybe, I'm not quite sure)

[krono]

I second this.

This is especially useful for First- and Second-graders, who will very likely not be able to remember Both Username and Password.

[JustusFluegel]

maybe something like webauthn or u2f?

Webauthn would support for example windows hello facial recognition or fingerprint sensors ( trough windows hello ).

I am currently in 10th grade and I would really like to secure my account using a second factor ( my Yubikey 5 NFC ).
Maybe I can create a PR for that if that would be appreciated.

[janrenz]

Hi, I would fully support different login methods and would be happy to help on any community contribution here and support you on a PR.
However from the strategic side we engage the federal States to have centralized IDMs systems like we do have in Thueringa, so all login related stuff should be part of these IDMs and not of the Schul-Cloud in the midterm.

[krono]

Makes a lot of sense.
I hope you all got some advisoral influence there :)

[krono]

sad this is closed without comment :(

[MLuderich]

Since this issue was quite old and sort of had an culmination, I figured it could be closed. I can give an update on our plans in this regard though and then we'll see, if it should be kept open.

For 3 of our 5 instances, we have (Thuringia, Brandenburg) or will have (Lower Saxony) a state-wide IDM solution that takes care of of authentication. Mid-term this will be oAuth2/OIDC for all of them. Currently, Thuringia (CAS) and Brandenburg (LDAP-S) use other protocols. Users on these instances will completely depend on the login solutions provided by these systems.

For the other two instances, we are in the process of building an IDM solution based on an off-the-shelf Keycloak with a user management with user/role/group service on top. We will check which login solutions Keycloak allows for. We certainly want to implement 2FA and I would be open to discuss this with the community once we are at a stage to share.

I for now will keep the issue open. Please let me know if this is wanted.

[krono]

Thanks, @MLuderich, this explanation makes sense.

Looking forward to a solution, (preferable sth. Yubikey), but whatever works) :)

[Loki-Afro]

@krono although not impossible webauthn, and therefore yubikey and similar are not currently developed.
however can be done using keycloak https://keycloak.ch/keycloak-tutorials/tutorial-webauthn/ however we are still far off.
https://github.com/hpi-schul-cloud/erwin-idm that would be the future repo for this kinda request btw.

in the meantime .. what i am doing is using pass, password manager that encrypts the secrets using gpg, my gpg private key is on my yubikey (you can find dozens of tutorials for that nowadays)
although not the same and definitely not for everyone, but gives great flexibility