[keycloak-dev] WebAuthn: next plans
Marek Posolda
mposolda at redhat.com
Thu Nov 21 15:21:17 EST 2019
The WebAuthn authentication is available in Keycloak since the last 8.0
release. We have plans to do some improvements around it like:
- Allow WebAuthn to be used as 1st-factor and 2nd-factor - It seems that
WebAuthn is the kind of credential, which is often used as both
2nd-factor or passwordless. This is not the case for some other common
credentials - for example password is usually used as 1st-factor when
OTP is usually used as 2nd-factor. We discussed within Keycloak team
that we want to allow users/administrators to be able to use WebAuthn as
both 1st-factor and 2nd-factor even within single authentication flow.
To achieve this, we want the ability to have 2 WebAuthn configurations
(WebAuthn policies) within the realm - one for passwordless and one for
2-factor authentication. Because of some limitations in current
framework, we will also temporarily duplicate some java classes
(Authenticator, RequiredAction, CredentialProvider etc) to be able to
differentiate between WebAuthn passwordless and 2nd-factor. This will be
improved in the future, but so far, priority is to improve experience
for the end user, so workaround of duplicating classes may be fine. Some
details in the JIRA https://issues.jboss.org/browse/KEYCLOAK-12174 .
- Improving usability of WebAuthn authentication: So far we discussed
that when WebAuthn authentication form is displayed, there won't be
checkboxes with available WebAuthn authenticators, but instead all the
registered WebAuthn authenticators of particular user (and particular
factor according to if we're authenticating as 1st-factor or 2nd-factor)
will be tried. This will allow that there is no need to explicit submit
via "Login", but WebAuthn authentication will be tried immediately when
the WebAuthn authentication form is displayed. We want the ability for
user to retry authentication or eventually go back and "try another way"
to authenticate (for example via OTP if user has both OTP and WebAuthn
as alternatives of 2nd-factor authentication). More details in the JIRA
https://issues.jboss.org/browse/KEYCLOAK-12177 .
If you have any feedback, feel free to comment.
Thanks,
Marek
More information about the keycloak-dev
mailing list