| From: | Zsolt Parragi <zsolt(dot)parragi(at)percona(dot)com> |
|---|---|
| To: | Joel Jacobson <joel(at)compiler(dot)org> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Time to add FIDO2 support? |
| Date: | 2026-01-23 17:19:11 |
| Message-ID: | CAN4CZFNCrY-CrKenU1dVto27XFBE43PuFT8A6rkgxQvWLOPRqA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> Would others be interested in adding support for FIDO2 as a new SASL
> authentication mechanism?
Me definitely, I was also thinking about the same thing. For context,
I did implement fido authentication for Percona Server for MySQL.
But as far as I know, SASL only has drafts[1][2] about fido, not accepted RFCs.
This is also related to why I asked about generic (not oauth related)
authentication plugins on the list a few days ago[3], one of the
things I was thinking about was fido/webauthn.
> Add "fido2" to pg_hba.conf:
>
> hostssl all all 0.0.0.0/0 fido2
> hostssl all all ::/0 fido2
It would be really good to implement MFA properly (allowing users to
configure password + fido requirement for login), but that would also
require changes in pg_hba processing.
[1] : https://www.ietf.org/archive/id/draft-bucksch-sasl-passkey-00.html
[2] : https://www.ietf.org/archive/id/draft-ietf-kitten-scram-2fa-05.html
[3] : https://www.postgresql.org/message-id/CAN4CZFN%3D5%3DdWvY%3DYAPeF4PVOMtR5U6jMLc2kCSHdO0EhejPp%2BQ%40mail.gmail.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2026-01-23 17:33:26 | Re: alignas (C11) |
| Previous Message | Corey Huinker | 2026-01-23 17:15:40 | Re: Import Statistics in postgres_fdw before resorting to sampling. |