Remove OTP from being required before WebAuthn Device is registered (!107438) · Merge requests · GitLab.org / GitLab

Aboobacker MK requested to merge remove-totp-req-webauthn into master Dec 20, 2022

What does this MR do and why?

This is the first set of backend changes for #378844 (closed). This MR removes the requirement that Time-based OTP need to enabled for Webauthn to work.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

In rails console, run: Feature.enable(:webauthn_without_totp)
Visit https://gdk.test:3443/-/profile/two_factor_auth and click on "Set up new device"
Register webauthn device
Save backup codes / click "Proceed"
Webauthn registration success message should be shown on page
Visiting https://gdk.test:3443/-/profile/two_factor_auth should show your registered Webauthn device
Sign out of GitLab and back in, Webauthn validation should be required in login flow and allow you to complete login.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jan 18, 2023 by Aboobacker MK

Remove OTP from being required before WebAuthn Device is registered

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports