[go: up one dir, main page]

Passkeys (Phase 1) - POC

Summary

  • Begin backend implementation based on the 1st draft of the ADR
  • Decide on what features should be in iteration 2 (1st release) and create stubs
  • Update the ADR and submit to AppSec

Order Of Issues (Phase 1)

  • /accounts Passkeys Creation and Deletion Flow:
  • /users/sign_in Passkeys Login & Signout Flow:
  • Create 2FA alternate parity

    • Passkeys satisfy 2FA

    • If only a passkey is added as a 2FA, a user is prompted to use it as a 2FA on sign-in

    • When a passkey and other WebAuthn devices are enabled, passkeys are used as the first option

    • No duplicates (a passkey can't be added as a webauthn device and vice versa)

    • Confirm previous decision with product & AppSec - ( Might be worth making a feature issue to allow users to choose their preferred 2FA in /accounts or on the sign_in screen, depending on AppSec & product feedback)

    • (only for this flow) In the passkeys pop-up, add a 2fa button alternative like the [Sign in with 2FA code] button in the /passkey/new_create view if other webauthn devices (not passkey) exist

  • Additional work
    • Add device information
      • Last Used timestamp
    • Bugs/More investigation needed:
      • Find out why passkeys eligible roaming authenticators reply with credProps: { rk: false} when its true on other relying parties like https://demo.yubico.com/. I think it might be due to our existing rp_id not being set properly before sending requests to the browser.

(End of everything done for the POC MR)

  • Add tests
  • Gate current features behind the :passkeys feature flag
  • Add/Create Passkey Pop-up flow
    • Accepts device_name
    • Shareable popup for the internal -/profile paths
    • Shareable popup for the external -/users/sign_in paths (sign in, 2fa, group
  • Add/Verify Passkeys Upgrade Pop-up to every relevant flow (after every 2FA, password reset, account creation or group invite account creation)
  • WebAuthn To Passkey Upgrade Flow
    • /profile & /sign_in
  • Instrument Passkeys for adoption
  • Admin settings
    • Disable passkey auth
    • Disable passkey as a 2FA

Moved to Phase 2

  • Device Type (Will be a lot more work than initially thought)
    • Use aaguid from the authenticators to get this. Requires a recurring script to this open-source json -> store in our dB table (webauthn_metadata_devices) & cron job to update it
Edited by Hakeem Abdul-Razak