Forum / Wayk Now - Feature Request

use devolutions (or Den) account for authentication

  • Create an Issue
  • Cancel

basically the title.

teamviewer allows using the account to bypass passwords and when the account is secured by 2FA and everything this can be super awesome. and especially in combination with an on-premise Den you could even knock out the 3rd party trust issue of that...

Clock2 mths

Hello

Thanks a lot for the input. As you say, such a feature is likely to be paired with an on-premise or hosted Wayk Den. I'm not sure what the Wayk Den team have planned for that but I know there are a lot of changes on the roadmap as they ramp up for the first public release early in the new year. Someone from that team will be able to give some better feedback on that after the holiday period.

Thanks again and happy new year,

Richard Markievicz

signaturesignature

Clock2 mths

while it definitely would be bonkers awesome on on-premise dens, using the devolutions account with the classic den would be also fun for using this at home. I doubt that I would be running a whiole den just for remoting into my PC or friends' PC etc that I help but the added assurance of an account that has 2FA (although the 2FA is slightly weird on the devolutions account currently, I told your twitter person btw) is just plain awesome

Clock2 mths

Hello

I agree that would be useful and a good idea. The friction in such a feature is likely to be in implementing the UX parts in a secure and privacy-conscious manner. For example, we would need to add the proper functionality for inviting / authorizing an arbitrary Devolutions account access to connect to the machine. Regardless, I have added that to our internal product board and would encourage anyone else interested in such a feature to add their voice here.

Thanks and kind regards,

Richard Markievicz

signaturesignature

Clock2 mths

Well considering the current security config isn't something i would call particularly secure (the config being just easily writable to without much challenge and some other thing i mentioned in a ticket already) adding the devolutions account by email or unique id wouldn't really make it much less safe although granted it could be far more secure if made that way.

I dunno whether win mac or Linux can for example store keypairs in a special way that would

A) make the pubkey visible but not writable without specific authorization (e.g. Password on secure desktop)
B) make the corresponding private key not readable except by the means above.

That would allow for example the den to store an encrypted private key (whether for one for all or one for each is something in need of discussion, although one for all might be easier for deployment) which could be decrypted offline and then be used to access the pc.

Basically it works as follows.
Setup

1) install wayk
2) sign into your den account within wayk to download pubkey (maybe display keyhash in a nice manner to confirm, drunken bishop or other graphical methods are perfect for this)
3) also confirm your pc user for creation of local keypair plus signing of den account pubkey and association of local keypair with wayk.


Connection.

1) client logs in with den and downloads crypted privkey and decrypts it
2) connect to target
3) present pubkey
4) server checks pubkey against stored signed copy
5) if matching send a challenge to sign
6) sign it
7) if match let in

Maybe the con could be even done using a client cert due to wayk iirc using tls, which would lower the complexity of any pubkey based method.

Clock2 mths