Ask for recovery code if WebAuthn is the only 2FA (!112212) · Merge requests · GitLab.org / GitLab

Eduardo Sanz García requested to merge eduardosanz/webauthn-recovery-codes into master Feb 16, 2023

What does this MR do and why?

When the feature flag webauthn_without_totp is enable, allow users to enter the recovery code in case WebAuthn is the only 2FA.

The change in wording in Show numeric keyboard on mobile for 2fa codes (!112202 - merged) I believe it will help for user with WebAuthn device but no TOTP.

Changelog: changed

Screenshots or screen recordings

No changes

How to set up and validate locally

In rails console, enable the feature flag: Feature.enable(:webauthn_without_totp)
Go to https://gdk.test:3443/-/profile/two_factor_auth
Disable all current 2FA.
Select Set up new device. It should be available even if the two-factor authentication using TOTP is disabled.
Follow the workflow and set up new WebAuthn device. Save recovery codes.
Sign out
Sign in and cancel all prompts until you can enter the recovery code.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Ask for recovery code if WebAuthn is the only 2FA

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports