-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Webauthn support #42
Comments
Consider U2F legacy. Instead of U2F, you want FIDO2. WebAuthn is the thing you are implementing ( Imo enrolment should be managed by RBAC. Authenticator managementAllow admin to exclude the requirement for 2FA on a specific user for a time period. If the policy is minimum 2 authenticators, allow the user to be good with either (chosen by admin) 0 or 1 authenticators. Self-serviceTo access the page, users must authenticate with a valid device. This authgate can be reused from normal auth flow. If configured (RBAC or global flag?) to forbid self-service, there will only be an admin bypass request button1. Admins should be able to add custom text to the page (localization, out of band contacts, instructions, etc). Admin bypassA 'request admin button'2. Admin has a dashboard to view all pending requests + optionally notification3 to lessen time the user waits. After admin permission, the user can access the self-service page from the same device. The first access must be done within n hours. After the first open, the access is shortened to x minutes (extended with every interaction), capped to y hours. If the user reached the page by using an authenticator (not admin bypass), then removing the same device promts for authentication of another device or admin bypass (to prevent lockouts). Adding devices takes serial code (using the scary prompt below) instead of letting the user insert a name. Users such as @jtagcat are known to mix up their identical-looking authenticators. If the authenticator is a (non-USB) device, ask for name. On the page, provide a button to identify/verify a device + where to find the serial code4 physically. For all actions, there is an audit trail. Rate limits (&/ admin notification/view) for adding devices. Footnotes
|
The scope of this ticket is the introduction of meaningfully secure U2F support. For example resetting U2F keys via e-mail doesn't add meaningful security.
Global enrollment flag options:
Global update flag options:
Introduce
policy
attribute for OIDCGWClient to specify what is the authentication policy for the applicationAdjacent topics: Export Prometheus metrics per application/group about how many users can log in and using which policy. This would go hand in hand with as needed basis U2F, it should be possible to write an alert that triggers if user has access to OIDC application with U2F policy enabled, yet hasn't enrolled keys in a reasonably short time (eg 7 days)
The text was updated successfully, but these errors were encountered: