1494478 - [meta] Add an API to re-authenticate the user with the operating system (OS)

Status: NEW

(Core :: Security: PSM, enhancement, P3)

Description

[Matthew N. [:MattN]]

As discussed in our September 13th meeting on secure storage, the front-end would like a way to verify that the Firefox user is authorized to use that OS account before we let them use a saved credit card, even if the key store is already unlocked. This blocks bug 1486954 (which I'd like to land in the next week or so) as we need a way to re-authenticate the user before autofilling a credit card since autofill doesn't involve a CVV.

For Windows we can use DPAPI for this.

Comment 1

[J.C. Jones [:jcj] (he/they)]

Franziskus, can you prioritize this?

Comment 2

[Franziskus Kiefer [:franziskus]]

Attachment: Bug 1494478 - add optional re-auth argument to secret OSKeyStore operations

I made the simplest version I could think of (lock/unlock before every operation). This should work on all platforms without changes except for Windows where lock/unlock isn't implemented yet. The drawback here is that if the re-auth isn't set on an operation, it's not performed, i.e. there's no flag on the secret that it requires re-auth.

Depends on D7713.

Comment 3

[Tim Guan-tin Chien [:timdream] (please needinfo)]

(In reply to Franziskus Kiefer [:franziskus] from comment #2)
> I made the simplest version I could think of (lock/unlock before every
> operation). This should work on all platforms without changes except for
> Windows where lock/unlock isn't implemented yet. The drawback here is that
> if the re-auth isn't set on an operation, it's not performed, i.e. there's
> no flag on the secret that it requires re-auth.

Does that mean if the user failed to login on reauth, the login dialog will popup again on subsequent unlock(reauth=false)?

Comment 4

[J.C. Jones [:jcj] (he/they)]

Franziskus, please provide an update at the later part of your day Weds re: what the API surface is going to look like, and a summary of remaining challenges. I know the WP team is anxious to hear news, and isn't seeing the prototyping.

Comment 5

[Franziskus Kiefer [:franziskus]]

Attachment: add windows authentication prompts for OS key store

Comment 6

[Franziskus Kiefer [:franziskus]]

The attached patch adds OS authentication for Windows. While the exact API required here isn't entirely clear to me yet, this part is needed to allow for user authentication on all platforms.
The simplest way to achieve re-authentication now would be to lock the key-store before any operation that requires user authentication. That's not ideal and locks the OS key store on most platforms, but is the only possibility on some platforms to request OS-level user authentication.

Comment 7

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Franziskus - in exploring how to implement this for OS X, I stubbed out how I think the API should work: https://phabricator.services.mozilla.com/D8307#change-PfvpnVbc4m5b let me know what you think?

Comment 8

[J.C. Jones [:jcj] (he/they)]

15 Oct update:

The patch for the API is ready (Bug 1498351). The patch for Windows is up and has an r+ (Bug 1498518). The patch for OSX is mostly written but not up yet (Comment 7). 

Linux does not have a final plan yet, it looks like we need to either 1) lock the whole user's keystore, 2) not do re-authentication on Linux, or 3) work upstream with libsecret to support what we need, which will take some time.

If we choose 3, we also must choose 1 or 2 in the mean-time.

Being the security team, we have a preference for option 1 or option 1 in conjunction with option 3. That said, we're not going to have capacity to drive the option 3 change at libsecret in the near-term.