[keycloak-dev] WebAuthn: next plans

Pedro Igor Silva psilva at redhat.com
Thu Nov 21 15:59:27 EST 2019


On Thu, Nov 21, 2019 at 5:23 PM Marek Posolda <mposolda at redhat.com> wrote:

> The WebAuthn authentication is available in Keycloak since the last 8.0
> release. We have plans to do some improvements around it like:
>
> - Allow WebAuthn to be used as 1st-factor and 2nd-factor - It seems that
> WebAuthn is the kind of credential, which is often used as both
> 2nd-factor or passwordless. This is not the case for some other common
> credentials - for example password is usually used as 1st-factor when
> OTP is usually used as 2nd-factor. We discussed within Keycloak team
> that we want to allow users/administrators to be able to use WebAuthn as
> both 1st-factor and 2nd-factor even within single authentication flow.
> To achieve this, we want the ability to have 2 WebAuthn configurations
> (WebAuthn policies) within the realm - one for passwordless and one for
> 2-factor authentication. Because of some limitations in current
> framework, we will also temporarily duplicate some java classes
> (Authenticator, RequiredAction, CredentialProvider etc) to be able to
> differentiate between WebAuthn passwordless and 2nd-factor. This will be
> improved in the future, but so far, priority is to improve experience
> for the end user, so workaround of duplicating classes may be fine. Some
> details in the JIRA https://issues.jboss.org/browse/KEYCLOAK-12174 .
>

I don't quite understand where WebAuthn will be used in different steps for
different factors in a single flow. Please, correct me if I'm wrong but
when using WebAuthn you either use it as a 2nd factor (considering 1st is
username/password) or MFA (if RP sets the UserVerification to required) as
a 1st factor.

Passwordless can be done by just username/user presence or by MFA if the RP
tells the authenticator to check the identity (bio/pin/etc).


>
> - Improving usability of WebAuthn authentication: So far we discussed
> that when WebAuthn authentication form is displayed, there won't be
> checkboxes with available WebAuthn authenticators, but instead all the
> registered WebAuthn authenticators of particular user (and particular
> factor according to if we're authenticating as 1st-factor or 2nd-factor)
> will be tried. This will allow that there is no need to explicit submit
> via "Login", but WebAuthn authentication will be tried immediately when
> the WebAuthn authentication form is displayed. We want the ability for
> user to retry authentication or eventually go back and "try another way"
> to authenticate (for example via OTP if user has both OTP and WebAuthn
> as alternatives of 2nd-factor authentication). More details in the JIRA
> https://issues.jboss.org/browse/KEYCLOAK-12177 .
>
> If you have any feedback, feel free to comment.
>
> Thanks,
> Marek
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>


More information about the keycloak-dev mailing list