How can we help you today?

Start a new topic
Discussions Royal TSX (for macOS) Ideas

YubiKey Support in WebKit Browser

Hello there :)

Would it be possible to have support for a hardware YubiKey keys in the Royal TSX WebKit plugin?

9 CommentsSorted by Oldest First
Hi Michael, very recently we added support for client certificate authentication to the WebKit plugin. It's available in the most recent beta. (See https://support.royalapps.com/support/discussions/topics/17000024511). Is that what you're looking for? Cheers, Felix

I meant the support of the hardware security keys, for FIDO2, U2F Support


Hi Michael, how does that look/work in Safari? Isn't it also presenting a certificate picker for the items stored on your hardware device? I'm pretty sure that Safari also uses the Keychain to present such items and so at least in theory, that should work in Royal TSX now as well. But I haven't tried it myself yet.

image

 

image

 

Oh, I see, you want Passkey support. We'll look into that.

Any news about this?

Hi there, 


Add me to those who would love to see Yubikey support, especially FIDO/U2F in webkit browser and for RDP sessions, and the Yubikey smartcard key for ssh. 

For things that do require TOTP, I wonder if there's an sdk or a way to use the Yubikey Authenticator as a source for auto logon TOTP credentials?  

Let me add this as a rationale: for certain logins, we want a 2nd auth factor that is actually a "hard" uncopyable token. If the first factor's secret (the password) and the TOTP secret are both saved in the same place (i.e. Royal Apps or password manager, etc), then I'll argue that it's not really 2FA.  If there's no token (based on a non-replayable HMAC signing of a challenge inside the Yubikey after a physical touch, for example), there's no 2nd factor and no access - that's the goal.  Someone could steal the Yubikey but they cannot steal the secret that is inside it.

I would argue that TOTP secret in the same password manager sure is convenient, but perhaps it's not much more secure than one factor...

Could Yubikey and general smartcard support perhaps be implemented with this distinction in mind?  Depend on the Yubikey's ability to prove that the auth secret is present but without putting it at risk.

Rob

Hi,


we looked into supporting Passkeys in web connections.

Unfortunately, it appears to require a special entitlement that we're unlikely to be granted by Apple (com.apple.developer.web-browser.public-key-credential).


Nonetheless, we contacted Apple for clarification if that's indeed what we need and if so, whether or not Royal TSX is eligible to receive the entitlement.


Regarding using Yubikeys in contexts other than web connections, please open separate feature requests.


thx,

Felix

Login or Signup to post a comment
More topics in Ideas
See all 351 topics