2:59 p.m.
On Thu, Nov 21, 2019 at 5:23 PM Marek Posolda <mposolda(a)redhat.com> wrote:
The WebAuthn authentication is available in Keycloak since the last
8.0
release. We have plans to do some improvements around it like:
- Allow WebAuthn to be used as 1st-factor and 2nd-factor - It seems that
WebAuthn is the kind of credential, which is often used as both
2nd-factor or passwordless. This is not the case for some other common
credentials - for example password is usually used as 1st-factor when
OTP is usually used as 2nd-factor. We discussed within Keycloak team
that we want to allow users/administrators to be able to use WebAuthn as
both 1st-factor and 2nd-factor even within single authentication flow.
To achieve this, we want the ability to have 2 WebAuthn configurations
(WebAuthn policies) within the realm - one for passwordless and one for
2-factor authentication. Because of some limitations in current
framework, we will also temporarily duplicate some java classes
(Authenticator, RequiredAction, CredentialProvider etc) to be able to
differentiate between WebAuthn passwordless and 2nd-factor. This will be
improved in the future, but so far, priority is to improve experience
for the end user, so workaround of duplicating classes may be fine. Some
details in the JIRA https://issues.jboss.org/browse/KEYCLOAK-12174 .
I don't quite understand where WebAuthn will be used in different steps for
different factors in a single flow. Please, correct me if I'm wrong but
when using WebAuthn you either use it as a 2nd factor (considering 1st is
username/password) or MFA (if RP sets the UserVerification to required) as
a 1st factor.
Passwordless can be done by just username/user presence or by MFA if the RP
tells the authenticator to check the identity (bio/pin/etc).
- Improving usability of WebAuthn authentication: So far we discussed
that when WebAuthn authentication form is displayed, there won't be
checkboxes with available WebAuthn authenticators, but instead all the
registered WebAuthn authenticators of particular user (and particular
factor according to if we're authenticating as 1st-factor or 2nd-factor)
will be tried. This will allow that there is no need to explicit submit
via "Login", but WebAuthn authentication will be tried immediately when
the WebAuthn authentication form is displayed. We want the ability for
user to retry authentication or eventually go back and "try another way"
to authenticate (for example via OTP if user has both OTP and WebAuthn
as alternatives of 2nd-factor authentication). More details in the JIRA
https://issues.jboss.org/browse/KEYCLOAK-12177 .
If you have any feedback, feel free to comment.
Thanks,
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev