Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use distinct prompts during Windows WebAuthn registration #30195

Merged
merged 2 commits into from
Aug 9, 2023
Merged

Use distinct prompts during Windows WebAuthn registration #30195

merged 2 commits into from
Aug 9, 2023

Conversation

codingllama
Copy link
Contributor

@codingllama codingllama commented Aug 8, 2023
edited

Clearly distinguish between "registered" and "new" devices on Windows "platform" prompts. This is relevant for Windows because it uses the system APIs for both Hello and WebAuthn devices.

I've decided against doing a similar change for Touch ID, as there isn't much to confuse there (lib/auth/touchid doesn't prompt devices other than Touch ID).

Changing the globals is safe because only one WebAuthn prompt happens at a time.

#17563

Changelog: Explicitly mention registered and new device when running tsh mfa add on Windows

@github-actions github-actions bot added size/sm tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Aug 8, 2023
@codingllama
Copy link
Contributor Author

FYI @tobiaszheller.

@codingllama
Copy link
Contributor Author

A few tests on Windows:

$ .\tsh.exe mfa add --type=WEBAUTHN --name=test
Allow passwordless logins [YES, NO]: no
Using platform authentication for *registered* device, follow the OS dialogs
Using platform authentication for *new* device, follow the OS dialogs
MFA device "test" added.

$ .\tsh.exe webauthnwin diag

WebauthnWin available: true
Compile support: true
DLL API version: 2
Has platform UV: true
Using platform authenticator, follow the OS dialogs
Using platform authenticator, follow the OS dialogs
Register successful: true
Login successful: true

Took me a while to figure out I had to cancel the initial Hello PIN prompt to get it to prompt my Yubikey, but hey it works. (Nothing we can do about that either.)

zmb3
zmb3 approved these changes Aug 8, 2023
View reviewed changes
tool/tsh/common/mfa.go Show resolved Hide resolved
tobiaszheller
tobiaszheller approved these changes Aug 9, 2023
View reviewed changes
Copy link
Contributor

@tobiaszheller tobiaszheller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, there is one more issue related to prompt messages on windows: #25051

@codingllama codingllama added this pull request to the merge queue Aug 9, 2023
Merged via the queue into master with commit e42ff05 Aug 9, 2023
20 checks passed
@codingllama codingllama deleted the codingllama/plat-prompts branch August 9, 2023 13:28
@public-teleport-github-review-bot
Copy link

@codingllama See the table below for backport results.

Branch Result
branch/v11 Create PR
branch/v12 Create PR
branch/v13 Create PR

This was referenced Aug 9, 2023
Merged
Merged
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 approved these changes

@tobiaszheller tobiaszheller tobiaszheller approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
backport/branch/v13 size/sm tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@codingllama @zmb3 @tobiaszheller @rosstimothy