Skip to content

Switch webauthn feature flag on

Summary

This issue is to enable the webauthn feature flag.

Before that, we need to be sure that we already converted all U2F registrations to WebAuthn registrations. As mentioned in #232669 (closed), there's no way back disabling the feature flag, because WebAuthn registrations cannot be converted back to U2F registrations.

Owners

  • Team: ~"group::access"
  • Most appropriate slack channel to reach out to: #g_manage_access
  • Best individual to reach out to: @ifarkas
  • PM: @hsutor

Stakeholders

The Rollout Plan

Unfortunately, the options for rollout are limited. The feature flag is global without any actor: we cannot roll out incrementally or to specific users / groups / projects. We cannot disable it once it's turned on, because there's no WebAuthn -> U2F conversion. The proposed steps:

  • enable the feature flag on staging
    • verify there's no bug / regression
      • before enabling the feature flag:
        • get at least 2 people (say, A and B) to register their device
      • after enabling the feature flag:
        • get another 2 people (say, C and D) to register their device (so that they are directly registered via WebAuthn)
        • get A, B, C and D to check if login works
        • get A, B, C and D to remove the device on their accounts and see if login works fine without 2FA
        • get A, B, C and D to re-register their device on their accounts and see if login still works
  • enable on production
    • verify there's no bug / regression
      • before enabling the feature flag:
        • Get at least 2 people (say, A and B) to register their device
      • after enabling the feature flag:
        • get another 2 people (say, C and D) to register their device (so that they are directly registered via WebAuthn)
        • get A, B, C and D to check if login works
        • get A, B, C and D to remove the device on their accounts and see if login works fine without 2FA
        • get A, B, C and D to re-register their device on their accounts and see if login still works
  • make the feature flag default enabled: !50735 (merged)

Expectations

What are we expecting to happen?

Seamless upgrade from U2F to WebAuthn. Users should be able to use their existing U2F devices.

What might happen if this goes wrong?

User are not able to log in using U2F devices.

What can we monitor to detect problems with this?

  • error rate on /users/sign_in endpoint (SessionsController#create)

Rollback Steps

We cannot cleanly roll back the feature flag. An option is to disable the feature flag and delete all WebAuthn registrations that don't have associated U2F registration:

WebauthnRegistration.where(u2f_registration_id: nil).destroy_all
Edited by Imre Farkas