[keycloak-dev] WebAuthn: next plans

Pedro Igor Silva psilva at redhat.com
Fri Nov 22 07:43:34 EST 2019


Yeah. I knew you did not mean that but what you later described. Just
wanted to make that part a bit more clear.

Thanks.

On Fri, Nov 22, 2019 at 4:49 AM Marek Posolda <mposolda at redhat.com> wrote:

> On 21. 11. 19 21:59, Pedro Igor Silva wrote:
>
>
>
> On Thu, Nov 21, 2019 at 5:23 PM Marek Posolda <mposolda at redhat.com> wrote:
>
>> The WebAuthn authentication is available in Keycloak since the last 8.0
>> release. We have plans to do some improvements around it like:
>>
>> - Allow WebAuthn to be used as 1st-factor and 2nd-factor - It seems that
>> WebAuthn is the kind of credential, which is often used as both
>> 2nd-factor or passwordless. This is not the case for some other common
>> credentials - for example password is usually used as 1st-factor when
>> OTP is usually used as 2nd-factor. We discussed within Keycloak team
>> that we want to allow users/administrators to be able to use WebAuthn as
>> both 1st-factor and 2nd-factor even within single authentication flow.
>> To achieve this, we want the ability to have 2 WebAuthn configurations
>> (WebAuthn policies) within the realm - one for passwordless and one for
>> 2-factor authentication. Because of some limitations in current
>> framework, we will also temporarily duplicate some java classes
>> (Authenticator, RequiredAction, CredentialProvider etc) to be able to
>> differentiate between WebAuthn passwordless and 2nd-factor. This will be
>> improved in the future, but so far, priority is to improve experience
>> for the end user, so workaround of duplicating classes may be fine. Some
>> details in the JIRA https://issues.jboss.org/browse/KEYCLOAK-12174 .
>>
>
> I don't quite understand where WebAuthn will be used in different steps
> for different factors in a single flow. Please, correct me if I'm wrong but
> when using WebAuthn you either use it as a 2nd factor (considering 1st is
> username/password) or MFA (if RP sets the UserVerification to required) as
> a 1st factor.
>
> Yes, single user won't use WebAuthn as both passwordless and 2-factor
> during single authentication flow. I rather mean that single authentication
> flow will be configured in a way, which will allow WebAuthn to be used
> either as 1st-factor or as 2nd-factor. Sorry that this wasn't clear when I
> wrote it above.
>
> So for example assume the configuration of authentication flow like this:
>
> Auth type                         | Requirement
> -----------------------------------------------------------------------------------------------
> Cookie                             [x] Alternative  [ ] Required                   [ ] Disabled
> Kerberos                           [x] Alternative  [ ] Required                   [ ] Disabled
> Identity Provider Redirector       [x] Alternative  [ ] Required                   [ ] Disabled
> Authenticate with Keycloak         [x] Alternative  [ ] Required                   [ ] Disabled
>   | - Username Form                [ ] Alternative  [x] Required                   [ ] Disabled
>   | - WebAuthn passwordless        [x] Alternative  [ ] Required                   [ ] Disable
>   | - Authenticate with MFA        [x] Alternative  [ ] Required                   [ ] Disabled
>        | - Password                [ ] Alternative  [x] Required                   [ ] Disabled
>        | - WebAuthn - 2nd factor   [ ] Alternative  [x] Required                   [ ] Disabled
>
>
> In this case user will be able to authenticate either with "WebAuthn
> passwordless" (if he has the proper security key, which requires
> UserVerification through pin etc) OR with password + WebAuthn as 2nd
> factor. Does it makes more sense now?
>
> Marek
>
>
> Passwordless can be done by just username/user presence or by MFA if the
> RP tells the authenticator to check the identity (bio/pin/etc).
>
>
>>
>> - Improving usability of WebAuthn authentication: So far we discussed
>> that when WebAuthn authentication form is displayed, there won't be
>> checkboxes with available WebAuthn authenticators, but instead all the
>> registered WebAuthn authenticators of particular user (and particular
>> factor according to if we're authenticating as 1st-factor or 2nd-factor)
>> will be tried. This will allow that there is no need to explicit submit
>> via "Login", but WebAuthn authentication will be tried immediately when
>> the WebAuthn authentication form is displayed. We want the ability for
>> user to retry authentication or eventually go back and "try another way"
>> to authenticate (for example via OTP if user has both OTP and WebAuthn
>> as alternatives of 2nd-factor authentication). More details in the JIRA
>> https://issues.jboss.org/browse/KEYCLOAK-12177 .
>>
>> If you have any feedback, feel free to comment.
>>
>> Thanks,
>> Marek
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>


More information about the keycloak-dev mailing list