Re: [keycloak-dev] WebAuthn: next plans

On Thu, Nov 21, 2019 at 5:23 PM Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: The WebAuthn authentication is available in Keycloak since the last 8.0 release. We have plans to do some improvements around it like: - Allow WebAuthn to be used as 1st-factor and 2nd-factor - It seems that WebAuthn is the kind of credential, which is often used as both 2nd-factor or passwordless. This is not the case for some other common credentials - for example password is usually used as 1st-factor when OTP is usually used as 2nd-factor. We discussed within Keycloak team that we want to allow users/administrators to be able to use WebAuthn as both 1st-factor and 2nd-factor even within single authentication flow. To achieve this, we want the ability to have 2 WebAuthn configurations (WebAuthn policies) within the realm - one for passwordless and one for 2-factor authentication. Because of some limitations in current framework, we will also temporarily duplicate some java classes (Authenticator, RequiredAction, CredentialProvider etc) to be able to differentiate between WebAuthn passwordless and 2nd-factor. This will be improved in the future, but so far, priority is to improve experience for the end user, so workaround of duplicating classes may be fine. Some details in the JIRA https://issues.jboss.org/browse/KEYCLOAK-12174 . I don't quite understand where WebAuthn will be used in different steps for different factors in a single flow. Please, correct me if I'm wrong but when using WebAuthn you either use it as a 2nd factor (considering 1st is username/password) or MFA (if RP sets the UserVerification to required) as a 1st factor.

Passwordless can be done by just username/user presence or by MFA if the RP tells the authenticator to check the identity (bio/pin/etc). - Improving usability of WebAuthn authentication: So far we discussed that when WebAuthn authentication form is displayed, there won't be checkboxes with available WebAuthn authenticators, but instead all the registered WebAuthn authenticators of particular user (and particular factor according to if we're authenticating as 1st-factor or 2nd-factor) will be tried. This will allow that there is no need to explicit submit via "Login", but WebAuthn authentication will be tried immediately when the WebAuthn authentication form is displayed. We want the ability for user to retry authentication or eventually go back and "try another way" to authenticate (for example via OTP if user has both OTP and WebAuthn as alternatives of 2nd-factor authentication). More details in the JIRA https://issues.jboss.org/browse/KEYCLOAK-12177 . If you have any feedback, feel free to comment. Thanks, Marek _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev