fix: Explicitly mention OTPs on tsh/Windows logins (#30302)

gravitational · Aug 14, 2023 · abd19d1 · abd19d1
1 parent 8f69de9
commit abd19d1
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/lib/client/mfa.go b/lib/client/mfa.go
@@ -32,6 +32,7 @@ import (
 	"github.com/gravitational/teleport/api/observability/tracing"
 	wanlib "github.com/gravitational/teleport/lib/auth/webauthn"
 	wancli "github.com/gravitational/teleport/lib/auth/webauthncli"
+	"github.com/gravitational/teleport/lib/auth/webauthnwin"
 	"github.com/gravitational/teleport/lib/utils/prompt"
 )
 
@@ -242,6 +243,13 @@ func PromptMFAChallenge(ctx context.Context, c *proto.MFAAuthenticateChallenge,
 				prompt.SecondTouchMessage = ""
 			case hasTOTP: // Webauthn + OTP
 				prompt.FirstTouchMessage = fmt.Sprintf("Tap any %ssecurity key or enter a code from a %sOTP device", promptDevicePrefix, promptDevicePrefix)
+
+				// Customize Windows prompt directly.
+				// Note that the platform popup is a modal and will only go away if
+				// canceled.
+				webauthnwin.PromptPlatformMessage = "Follow the OS dialogs for platform authentication, or enter an OTP code here:"
+				defer webauthnwin.ResetPromptPlatformMessage()
+
 			default: // Webauthn only
 				prompt.FirstTouchMessage = fmt.Sprintf("Tap any %ssecurity key", promptDevicePrefix)
 			}