> Would others be interested in adding support for FIDO2 as a new SASL
> authentication mechanism?
Me definitely, I was also thinking about the same thing. For context,
I did implement fido authentication for Percona Server for MySQL.
But as far as I know, SASL only has drafts[1][2] about fido, not accepted RFCs.
This is also related to why I asked about generic (not oauth related)
authentication plugins on the list a few days ago[3], one of the
things I was thinking about was fido/webauthn.
> Add "fido2" to pg_hba.conf:
>
> hostssl all all 0.0.0.0/0 fido2
> hostssl all all ::/0 fido2
It would be really good to implement MFA properly (allowing users to
configure password + fido requirement for login), but that would also
require changes in pg_hba processing.
[1] : https://www.ietf.org/archive/id/draft-bucksch-sasl-passkey-00.html
[2] : https://www.ietf.org/archive/id/draft-ietf-kitten-scram-2fa-05.html
[3] :
https://www.postgresql.org/message-id/CAN4CZFN%3D5%3DdWvY%3DYAPeF4PVOMtR5U6jMLc2kCSHdO0EhejPp%2BQ%40mail.gmail.com
