Skip to content

Add ability to sign in using passkeys

Helio Cola requested to merge gitlab-community/gitlab:feature/passkeys into master

What does this MR do and why?

Add Passkeys in Accounts Profile show page

Add a link in the sign in page to allow user to sign in with its Passkeys

Issue: #366758

Feature flag issue: #434290 (closed)

Changelog: added

Still pending on this MR

  • Test the flow with Passkeys stored in a Password manager and document the behavior
  • Check if the creating of WebAuthn Device (not introduced in this MR) is requiring User Verification
  • Wrap this feature behind a feature flag (ref: !135324 (comment 1678814630))
  • DRY the table in app/views/profiles/accounts/show.html.haml as this was duplicate while this MR was in POC status. Now this being behind a FF I will review that code and try to find a DRY solution.

Screenshots or screen recordings

The image below it shows how the Passkeys will be displayed in the User profile page. This MR doesn't change how they are created (under the Account -> 2FA section), just display the Webauthn devices registered as Passkeys. 1.Account_Passkeys_list

The image below shows the option to sign in with Passkeys, which takes you to a page where you type in your email/username and execute the Passkeys flow This MR reuses 100% of the Passkeys flow code used for the Passkeys as 2FA, when the sign_in is done via Password. 2.Sign_in_with_Passkeys_option

The image below shows the Sign in with Passkeys page where user will type username/email and opt for remember me option. 5.Sign_in_with_Passkeys_page

The image below just shows the Browser/OS passkeys prompt This is a native behavior and not code/feature in this MR. 3.Passkeys_biometric_prompt

The image below just shows the Passkeys in the Passwords app in my Mac This is a native behavior and not code/feature in this MR. 4.Passkeys_created

How to set up and validate locally

  1. Get GitLab/GDK setup and running locally
  2. Sign in with default root account
  3. Go To Account -> 2FA
  4. Enable 2FA and register a WebAuthn Device <At this point you can sign in with your username, password, and your passkeys as 2FA>
  5. Sign out
  6. Go to Sign in page and click in the Sign in with Passkeys link
  7. Type in your username and remember me
  8. Click Sign in with your Passkeys
  9. Get prompted for your passkeys and follow the process correctly
  10. Voila! You are authenticated

Other considerations

Webauthn Device vs Passkeys nomenclature

The info displayed in the Passkeys section (added in this MR) is in fact the WebAuthn Device register in the 2FA section. Having these 2 entities dropped in may cause more confusion.

There is already a tentative to improve the wording in the WebAuthn Device section in issue 429833 that can be taken in consideration.

Most places I've seen implementing Passkeys don't use the term WebAuthn Device. Rubygems.org does use it as Security Device, and currently only have support as a 2FA (not sign-in like I am introducing on this MR).

Bypass 2FA for Passkeys sign in or not?

Fido Alliance softly claim (my own wording) that Passkeys are 2FA by design (reference: look for question Are Passkeys considered multi-factor authentication? in https://fidoalliance.org/passkeys/#faq) and it states, in the same reference and I quoted below, this is still pending recognition.

Note that some regulatory regimes still have to evolve to recognize passkeys as one of the officially listed forms of multi-factor. This is an area of active engagement for the FIDO Alliance.

In this MR, when signin in with passkeys, any other 2FA method (like authenticator app) is not used.

With that said, Passkeys stored in password managers, and not in your native os/browser support, probably don't go through the biometric, thus 2FA auth in Gitlab in this scenario, will turn into single factor auth. DISCLAIMER: I have not tested Passkeys using password managers yet (neither here nor anywhere else I use Passkeys) because I only use integrated with my apple devices (macbooks and iphone).

There are two important details to check and test here:

  1. What is the Passkeys auth flow when using Password manager browser extension.
  2. Check if the WebAuthn Device registration is requiring User Verification (the Fido Allicance 2FA argument is conditional to using User Verification and I have not if that is the case for the creation of Passkeys/Webauthn device that this MR is relying on)

In my opinion, having a 2FA (aka authenticator app) when already using Passkeys with biometric authentication is unnecessary, but I don't know yet if there is a way to detect what is the scenario the user is going through.

UPDATE [Dec-07-23]: GitLab uses user_verification: 'discouraged'

This doesn't mean user verification is never performed. In my tests on local machine (macOS) using chrome and safari, the biometric verification does happen. I wrote a bit more here: #366758 (comment 1683248156)

Reference: https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/User_Presence_vs_User_Verification.html

UPDATE [Dec-08-23]: Passkeys flow with password manager did not ask for the biometric

My tests were limited to Firefox and Bitwarden (which is the password manager I use) and in this scenario only my passkeys are used and my biometric is not verified.

At Gitlab.com I was not able to create a Passkeys using Firefox, but I can create on webauthn.io and on a .com webapp I created (RoR using devise-passkeys gem, which also uses cedarcode/webauthn-ruby that GL.com uses), both without being requested to validate the biometrics.

Sign in order: Passwords, Passkeys, OAuth providers

In my local machine, the only SSO provider is Google, which is probably setup by default, so the login page show all options above the fold. But in GitLab.com website there are 4 and if Sign in with Passkeys stays in between Passwords and OAuth/SSO, than some OAuth providers will go below the fold. In the scenario where Sign in with Passkeys will go below the fold.

So this is an interesting UX problem to solve. Below are a couple of possible solutions I thought when working on this:

  1. Put side by side (maybe with a toggle or tabs or both visible) Sign in with Password and Sign in Passkeys (this will require password presence validation to be ignored when using Passkeys), given username and remember me are used in both scenarios.
  2. There is an auto-discover feature in Passkeys that you don't even need to type in your username
  3. Shrink the Sign in With Passkeys section and maybe not have the divider with or (as in this MR, given how the OAuth/SSO currently is)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Helio Cola

Merge request reports