Delete OTP authenticator without affecting WebAuthn (!166674) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Delete OTP authenticator without affecting WebAuthn

This change, under the two_factor_actions feature flags, allows to disable the one-time authenticator without affecting registered WebAuthn devices.

Before this change, it was possible to (1) unregister WebAuthn devices (without affecting the OTP authenticator) or (2) disable the whole two-factor authentication (OTP + WebAuthn). This additional option brings parity to between WebAuthn device and OTP authenticator. It is now possible to delete either one without affecting the other (or delete both by disabling the whole two-factor authentication)

Closes #393419 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

How to set up and validate locally

Enable the delete_otp_no_webauthn feature flag: /rails/features
Go to /-/profile/two_factor_auth enable one OTP and one WebAuthn
Delete the OTP authenticator. WebAuthn device stays untouched.

Edited Sep 27, 2024 by Eduardo Sanz García

Delete OTP authenticator without affecting WebAuthn

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports