[keycloak-dev] WebAuthn: next plans

Marek Posolda mposolda at redhat.com
Fri Nov 22 02:49:14 EST 2019 

On 21. 11. 19 21:59, Pedro Igor Silva wrote:
>
>
> On Thu, Nov 21, 2019 at 5:23 PM Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     The WebAuthn authentication is available in Keycloak since the
>     last 8.0
>     release. We have plans to do some improvements around it like:
>
>     - Allow WebAuthn to be used as 1st-factor and 2nd-factor - It
>     seems that
>     WebAuthn is the kind of credential, which is often used as both
>     2nd-factor or passwordless. This is not the case for some other
>     common
>     credentials - for example password is usually used as 1st-factor when
>     OTP is usually used as 2nd-factor. We discussed within Keycloak team
>     that we want to allow users/administrators to be able to use
>     WebAuthn as
>     both 1st-factor and 2nd-factor even within single authentication
>     flow.
>     To achieve this, we want the ability to have 2 WebAuthn
>     configurations
>     (WebAuthn policies) within the realm - one for passwordless and
>     one for
>     2-factor authentication. Because of some limitations in current
>     framework, we will also temporarily duplicate some java classes
>     (Authenticator, RequiredAction, CredentialProvider etc) to be able to
>     differentiate between WebAuthn passwordless and 2nd-factor. This
>     will be
>     improved in the future, but so far, priority is to improve experience
>     for the end user, so workaround of duplicating classes may be
>     fine. Some
>     details in the JIRA https://issues.jboss.org/browse/KEYCLOAK-12174 .
>
>
> I don't quite understand where WebAuthn will be used in different 
> steps for different factors in a single flow. Please, correct me if 
> I'm wrong but when using WebAuthn you either use it as a 2nd factor 
> (considering 1st is username/password) or MFA (if RP sets 
> the UserVerification to required) as a 1st factor.

Yes, single user won't use WebAuthn as both passwordless and 2-factor 
during single authentication flow. I rather mean that single 
authentication flow will be configured in a way, which will allow 
WebAuthn to be used either as 1st-factor or as 2nd-factor. Sorry that 
this wasn't clear when I wrote it above.

So for example assume the configuration of authentication flow like this:

Auth type                         | Requirement
-----------------------------------------------------------------------------------------------
Cookie                             [x] Alternative  [ ] Required                   [ ] Disabled
Kerberos                           [x] Alternative  [ ] Required                   [ ] Disabled
Identity Provider Redirector       [x] Alternative  [ ] Required                   [ ] Disabled
Authenticate with Keycloak         [x] Alternative  [ ] Required                   [ ] Disabled
   | - Username Form                [ ] Alternative  [x] Required                   [ ] Disabled
   | - WebAuthn passwordless        [x] Alternative  [ ] Required                   [ ] Disable
   | - Authenticate with MFA        [x] Alternative  [ ] Required                   [ ] Disabled
        | - Password                [ ] Alternative  [x] Required                   [ ] Disabled
        | - WebAuthn - 2nd factor   [ ] Alternative  [x] Required                   [ ] Disabled
        

In this case user will be able to authenticate either with "WebAuthn 
passwordless" (if he has the proper security key, which requires 
UserVerification through pin etc) OR with password + WebAuthn as 2nd 
factor. Does it makes more sense now?

Marek

>
> Passwordless can be done by just username/user presence or by MFA if 
> the RP tells the authenticator to check the identity (bio/pin/etc).
>
>
>     - Improving usability of WebAuthn authentication: So far we discussed
>     that when WebAuthn authentication form is displayed, there won't be
>     checkboxes with available WebAuthn authenticators, but instead all
>     the
>     registered WebAuthn authenticators of particular user (and particular
>     factor according to if we're authenticating as 1st-factor or
>     2nd-factor)
>     will be tried. This will allow that there is no need to explicit
>     submit
>     via "Login", but WebAuthn authentication will be tried immediately
>     when
>     the WebAuthn authentication form is displayed. We want the ability
>     for
>     user to retry authentication or eventually go back and "try
>     another way"
>     to authenticate (for example via OTP if user has both OTP and
>     WebAuthn
>     as alternatives of 2nd-factor authentication). More details in the
>     JIRA
>     https://issues.jboss.org/browse/KEYCLOAK-12177 .
>
>     If you have any feedback, feel free to comment.
>
>     Thanks,
>     Marek
>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list