Re: [keycloak-dev] WebAuthn: next plans

On 21. 11. 19 21:59, Pedro Igor Silva wrote: On Thu, Nov 21, 2019 at 5:23 PM Marek Posolda <mposolda(a)redhat.com&gt; wrote: > The WebAuthn authentication is available in Keycloak since the last 8.0 > release. We have plans to do some improvements around it like: > > - Allow WebAuthn to be used as 1st-factor and 2nd-factor - It seems that > WebAuthn is the kind of credential, which is often used as both > 2nd-factor or passwordless. This is not the case for some other common > credentials - for example password is usually used as 1st-factor when > OTP is usually used as 2nd-factor. We discussed within Keycloak team > that we want to allow users/administrators to be able to use WebAuthn as > both 1st-factor and 2nd-factor even within single authentication flow. > To achieve this, we want the ability to have 2 WebAuthn configurations > (WebAuthn policies) within the realm - one for passwordless and one for > 2-factor authentication. Because of some limitations in current > framework, we will also temporarily duplicate some java classes > (Authenticator, RequiredAction, CredentialProvider etc) to be able to > differentiate between WebAuthn passwordless and 2nd-factor. This will be > improved in the future, but so far, priority is to improve experience > for the end user, so workaround of duplicating classes may be fine. Some > details in the JIRA https://issues.jboss.org/browse/KEYCLOAK-12174 . > I don't quite understand where WebAuthn will be used in different steps for different factors in a single flow. Please, correct me if I'm wrong but when using WebAuthn you either use it as a 2nd factor (considering 1st is username/password) or MFA (if RP sets the UserVerification to required) as a 1st factor. Yes, single user won't use WebAuthn as both passwordless and 2-factor during single authentication flow. I rather mean that single authentication flow will be configured in a way, which will allow WebAuthn to be used either as 1st-factor or as 2nd-factor. Sorry that this wasn't clear when I wrote it above. So for example assume the configuration of authentication flow like this: Auth type | Requirement ----------------------------------------------------------------------------------------------- Cookie [x] Alternative [ ] Required [ ] Disabled Kerberos [x] Alternative [ ] Required [ ] Disabled Identity Provider Redirector [x] Alternative [ ] Required [ ] Disabled Authenticate with Keycloak [x] Alternative [ ] Required [ ] Disabled | - Username Form [ ] Alternative [x] Required [ ] Disabled | - WebAuthn passwordless [x] Alternative [ ] Required [ ] Disable | - Authenticate with MFA [x] Alternative [ ] Required [ ] Disabled | - Password [ ] Alternative [x] Required [ ] Disabled | - WebAuthn - 2nd factor [ ] Alternative [x] Required [ ] Disabled In this case user will be able to authenticate either with "WebAuthn passwordless" (if he has the proper security key, which requires UserVerification through pin etc) OR with password + WebAuthn as 2nd factor. Does it makes more sense now? Marek Passwordless can be done by just username/user presence or by MFA if the RP tells the authenticator to check the identity (bio/pin/etc). > > - Improving usability of WebAuthn authentication: So far we discussed > that when WebAuthn authentication form is displayed, there won't be > checkboxes with available WebAuthn authenticators, but instead all the > registered WebAuthn authenticators of particular user (and particular > factor according to if we're authenticating as 1st-factor or 2nd-factor) > will be tried. This will allow that there is no need to explicit submit > via "Login", but WebAuthn authentication will be tried immediately when > the WebAuthn authentication form is displayed. We want the ability for > user to retry authentication or eventually go back and "try another way" > to authenticate (for example via OTP if user has both OTP and WebAuthn > as alternatives of 2nd-factor authentication). More details in the JIRA > https://issues.jboss.org/browse/KEYCLOAK-12177 . > > If you have any feedback, feel free to comment. > > Thanks, > Marek > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > >