Feature request: Support for Passkey (WebAuthn) authentication in LuCI

[Tokisaki-Galaxy]

What would you like to see in luci?

Description
I would like to propose adding support for Passkey (WebAuthn) authentication to the LuCI web interface.

Motivation
Currently, LuCI primarily relies on traditional username/password authentication. As the central gateway of a network, an OpenWrt router is a high-value target. Relying solely on passwords poses several risks:

• Brute-force attacks: Even with strong passwords, HTTP interfaces are often targets for automated cracking attempts.
• Credential theft: Passwords can be phished or leaked.
• Complexity vs. Security: Users often choose weak passwords to make it easier to log in from mobile devices.

Proposed Solution
Implementing WebAuthn support would allow users to log in using Passkeys (TouchID, FaceID, Windows Hello, or hardware keys like YubiKey). This would provide:

• Phishing resistance: WebAuthn is inherently secure against phishing.
• Improved Security: Eliminates the risk of brute-force attacks on the web interface.
• Better UX: Faster and more secure login experience across devices without typing long passwords.

Additional Context
Since LuCI is a critical component, modernizing its authentication mechanism aligns with the industry trend toward passwordless security. I'd like to start a discussion on the technical feasibility and whether this should be implemented as a core feature or an optional luci-app.

What are your thoughts on this?

[systemcrash]

I think it makes sense - I've started on this myself. But every security "feature" we build must have a recourse. Users being users inevitably get locked out and need a reset. Fortunately we have ssh or it's possible to reboot the router into a safe mode.

Any amendments to luci shall remain usable at all levels of security, and as much as possible, implementation agnostic, and standards compliant: no yubikey only no matter how attractive that 5kb library is, and it will continue to work without Internet.

• to make it easier to log in from mobile devices.

I don't think I've ever typed it in on mobile. I just mash my browser autofill buttons. It's a device at home, it's not very interesting. :)

[jow-]

Proper HTTPS setup (custom CA trusted by client, not just a selfsigned cert) and a proper, stable and unique hostname are preconditions for this. These are significant hurdles and very easy to break.

• There is no device agnostic way to extract vendor serials on OpenWrt, but a unique name could be formed based on the primary MAC address of the device
• When a non-unique hostname such as "openwrt.lan" is chosen, it becomes impossible to manage multiple devices
• When a unique hostname such as "openwrt-de12af.lan" is generated it becomes hard for the user to discover (unless considering mDNS / captive portal solutions, requiring even more infrastructure)
• Any change to the hostname (assuming it entails changing the local domain) would invalidate the entire passkey setup
• Managing ephemeral CA, renewals, trusts etc. is complex

[Tokisaki-Galaxy]

Thanks for the insight. I hadn't fully considered how strictly WebAuthn ties to the Origin (domain/protocol), which is indeed a nightmare for local devices with dynamic IPs or hostnames. The 'catch-22' of HTTPS on local hardware is also a major blocker.

Given these constraints, I agree this isn't feasible for now. Thank you.

However, to address the original security concern, would a TOTP-based two-factor authentication (2FA) be a more logical alternative? It avoids the Origin/HTTPS issues while still providing a significant security boost over plain passwords.

[systemcrash]

You can take a look at what @Ansuel started in #7069

[Tokisaki-Galaxy]

You can take a look at what @Ansuel started in #7069

Thank you very much. I'm writing a ci development process for luci now. I'll try to follow that pr.

[jow-]

I wouldn't say it is entirely infeasible but it would require quite some baseline functionality (TLS crypto support, CA management, mDNS, probably even dyndns + hairpinning if remote access w/ passkey is desired) functionality which is unlikely to ever be available ootb in vanilla OpenWrt. So this either must go into some well polished addon package drawing in and preconfiguring the various dependencies or a downstream distribution not catering to the lowest common denominator of functionality.

[Neustradamus]

@Tokisaki-Galaxy: Nice PR!

• luci-app-2fa: init checkin #8280
• luci-base: add generic authentication plugin mechanism #8281

Linked to:

• [POC,WIP] Implement 2-Factor Authentication with TOTP or HOTP #7069

[Tokisaki-Galaxy]

I am currently developing the webauthn passkey login method. The progress is going well, but there is no stable version yet.

https://github.com/Tokisaki-Galaxy/webauthn-helper
https://github.com/Tokisaki-Galaxy/luci-app-webauthn

I have verified that as long as there is a domain name, Letencrypt can issue a certificate for the local network IP, such as admin.tokisaki.top

[Neustradamus]

@Tokisaki-Galaxy: Thanks for your work!

Do not forget to respect the OpenWrt rules about commits.

• https://openwrt.org/submitting-patches#submission_guidelines

🔶 Author name (Tokisaki-Galaxy) seems to be a nickname or an alias

[efahl]

@Tokisaki-Galaxy Looks good so far...

I'm curious as to the size of the CLI component. How big are the .apk files for it?

And how good do you think support for odd arches like powerpc and loongarch will be in Rust?

[Tokisaki-Galaxy]

@Tokisaki-Galaxy Looks good so far...

I'm curious as to the size of the CLI component. How big are the .apk files for it?

And how good do you think support for odd arches like powerpc and loongarch will be in Rust?

https://github.com/Tokisaki-Galaxy/webauthn-helper/actions/runs/21793715110/job/62877699717

==========================================
🗜️  UPX COMPRESSION SUMMARY
==========================================
| Target                                   | Before (KB)  | After (KB)   | Ratio      |
| ---------------------------------------- | ------------ | ------------ | ---------- |
| aarch64-unknown-linux-musl               |        956 KB |        371 KB |     61.2% |
| arm-unknown-linux-musleabi               |       1090 KB |        412 KB |     62.2% |
| arm-unknown-linux-musleabihf             |       1086 KB |        411 KB |     62.1% |
| armv5te-unknown-linux-musleabi           |       1094 KB |        414 KB |     62.2% |
| armv7-unknown-linux-musleabi             |       1078 KB |        409 KB |     62.1% |
| armv7-unknown-linux-musleabihf           |       1058 KB |        412 KB |     61.0% |
| mips-unknown-linux-musl                  |       1395 KB |        452 KB |     67.6% |
| mipsel-unknown-linux-musl                |       1395 KB |        461 KB |     66.9% |
| powerpc64le-unknown-linux-musl           |       1220 KB |        429 KB |     64.8% |
| riscv64gc-unknown-linux-musl             |        961 KB |        399 KB |     58.4% |
| x86_64-unknown-linux-musl                |       1140 KB |        418 KB |     63.3% |
==========================================

today, I rewrite github build action, support there arch.

thanks to pure rust(select webauthn-rp instead of webauthn-rs as core depend),basically, I support any rust support arch

if you want to download ipk/apk
https://github.com/Tokisaki-Galaxy/openwrt-webauthn-helper/releases