Skip to content
Snippets Groups Projects

Draft: Enable WebAuthn device registration without TOTP

Closed Eduardo Sanz García requested to merge eduardosanz/webauthn-without-totp into master
4 unresolved threads

What does this MR do and why?

Replaced the JQuery application to register WebAuthn devices by a Vue component.

Made the WebAuthn device registration possible without TOTP. Therefore, the Set up new device is always available.

Increased security by adding a required password field to be able to register a new device.

We also introduced a few minor UI improvements.

Changelog: changed

Screenshots or screen recordings

before after
image image
image image
image image
image image
image image

The whole process using Chrome:

Screen_Recording_2023-02-10_at_09.56.35

How to set up and validate locally

  1. In rails console, enable the feature flag: Feature.enable(:webauthn_without_totp)
  2. Go to https://gdk.test:3443/-/profile/two_factor_auth
  3. Select Set up new device. It should be available even if the two-factor authentication using TOTP is disabled.
  4. Follow the workflow.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eduardo Sanz García

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
49085 49091 msgid "Your commit email is used for web based operations, such as edits and merges."
49086 49092 msgstr ""
49087 49093
49094 msgid "Your current password is required to register a new device."
  • 16612 16615 msgid "Examples"
    16613 16616 msgstr ""
    16614 16617
    16618 msgid "Except for USB security keys, we recommend including the browser vendor and computer name in the device name."
    • Question: Is there any guidance for USB security keys? Should the user include another piece of information?

      Suggested change
      16630 msgid "Except for USB security keys, we recommend including the browser vendor and computer name in the device name."
      16630 msgid "Excluding USB security keys, you should include the browser vendor and computer name in the device name."
    • There is no specific guidance for USB security keys.

      I don't think the message is accurate or clear. I am trying to encourage users to include the browser (device) and computer names to make sure they understand that some WebAuthn devices only work under the same browser-computer combo used during the device registration.

      USB security key can be carried around so you can sign-in from any computer.

      Safari offers storing newly created passkeys in iCloud so it can be used in Safari on other devices (iPad, iPhones, or Mac computers), if sign-in with the same Apple ID on both devices.

      But for other browsers this is not the case: If one uses a non-Safari browser, the person can't expect to be able to sign in using a different computer. In addition, if the browser cache is cleared users will be unable to sign-in.

      I personally would use these device names:

      • YubiKey [model if I have several] (just device, no computer name needed)
      • Safari (just device, no computer name needed if I sync the passkey)
      • Safari on laptop (device and computer name when I don't use sync the passkey)
      • Chrome Beta on laptop (device and computer name)

      Chrome, Chrome Beta, Chrome Canary and Chrome Dev are different devices. Firefox and Firefox Developer Editions are also different devices.

      Two-factor authentication using WebAuthn is fragile. The user must always save their recovery codes.

      I wonder if an info alert is better suited to explain all the above. I really would like to avoid mention any particular browser vendor. Would something like this be understandable?

      You can lose access to your account:
      * Always save recovery codes (only available the first time you set a two-factor authentication method).
      * Clearing the cache of your browser will unable to sign-in.  
      * Some WebAuthn devices, like USB security keys, or browsers that allow you to store the passkey in the cloud, can be used on different computers[1].
      * Other WebAuthn devices can only be used on the same computer[1] where the device was registered.

      [1] I used the word computer and no device to avoid confusion with WebAuthn device

      Edited by Eduardo Sanz García
    • Thanks @eduardosanz that all makes sense. I think there's a couple of possible approaches:

      1. Keep all the information in an info alert, but put the strongest message upfront rather than in an unordered list. For example:

        Suggested change
        16630 msgid "Except for USB security keys, we recommend including the browser vendor and computer name in the device name."
        16630 msgid "You must save your recovery codes when you first set up two-factor authentication with your WebAuthn
        16631 device, so you do not lose access to your account. When managing your WebAuthn device, you should be aware that:
        16632 * If you clear your browser cache, you must re-authenticate before you can sign in.
        16633 * Some WebAuthn devices, like USB security keys or browsers that allow you to store the passkey in the cloud, can
        16634 be used on different computers.
        16635 * Other WebAuthn devices can only be used on the same computer where the device was registered."
      2. Keep the alert short but link to documentation for the supporting information (assuming that this type of alert supports linking. For example:

        Suggested change
        16630 msgid "Except for USB security keys, we recommend including the browser vendor and computer name in the device name."
        16630 msgid "You must save your recovery codes when you first set up two-factor authentication with your WebAuthn
        16631 device, so you do not lose access to your account. See the documentation on managing your WebAuthn device for
        16632 more information."

      What do you think?

    • I think a shorter alert and linking to the documentation is the way forward. Thanks!

    • Ok great. If you're happy with this suggestion, please apply it and then I'll approve.

    • Eduardo Sanz García changed this line in version 3 of the diff

      changed this line in version 3 of the diff

    • Please register or sign in to reply
  • mentioned in issue #378844 (closed)

  • Jon Glassman mentioned in merge request !111317 (merged)

    mentioned in merge request !111317 (merged)

  • Eduardo Sanz García added 1237 commits

    added 1237 commits

    Compare with previous version

  • Eduardo Sanz García changed the description

    changed the description

  • Eduardo Sanz García changed the description

    changed the description

  • I am closing this MR in favour of !111659 (merged)

  • Please register or sign in to reply
    Loading