Threat Model

This page describes the primary threats and the mitigations implemented in the extension.

Phishing

Threat: An attacker creates a fake login page to steal credentials.

Mitigation: WebAuthn binds the credential to the Relying Party ID (domain). A passkey registered for example.com cannot be used on evil.example.com. The browser enforces this binding; no user action is required.

Credential theft via database breach

Threat: Attacker reads the credential database and impersonates users.

Mitigation: The database stores only public keys. The corresponding private key never leaves the authenticator device and cannot be extracted. A leaked public key is useless for authentication.

Recovery code theft

Threat: Attacker reads stored recovery codes and uses them.

Mitigation: Recovery codes are stored as bcrypt hashes (cost 12). Brute-forcing the hash is computationally infeasible. Users should store plaintext codes offline in a password manager.

Challenge replay

Threat: Attacker intercepts a challenge/assertion and replays it.

Mitigation: Each challenge token includes a nonce stored in the TYPO3 session. A nonce can be verified exactly once (`TYPO3 rate limiter` + session check). The challenge has a 120-second TTL.

Brute-force / DoS

Threat: Attacker floods the authentication endpoints.

Mitigation:

Rate limiting per IP per endpoint (configurable, default 10 req/5 min)
Account lockout after configurable failed attempts (default 5)
HTTP 429 responses with Retry-After header

User enumeration

Threat: Attacker discovers valid usernames by observing differing error responses.

Mitigation: The login/options endpoint returns the same response structure regardless of whether the username exists. The user_handle field in stored credentials is a SHA-256 hash of the UID + encryption key, not the username.

Session fixation

Threat: Attacker fixes a session ID and then authenticates to take over the session.

Mitigation: TYPO3's built-in session management regenerates the session ID after authentication. The extension does not bypass this.

CSRF

Threat: Attacker tricks an authenticated user into performing unwanted actions.

Mitigation: Management endpoints require a valid frontend session cookie. The eID endpoint validates the Content-Type: application/json header, which browsers do not set for cross-origin form submissions.

HTTPS requirement

WebAuthn operations are only allowed on secure origins (HTTPS or localhost). Any attempt to use the passkey API over plain HTTP will be rejected by the browser before reaching the server.

Important

Ensure your TYPO3 installation is running over HTTPS in production. Set reverseProxySSL if behind a load balancer.