Switch webauthn feature flag on
Summary
This issue is to enable the webauthn
feature flag.
Before that, we need to be sure that we already converted all U2F
registrations to WebAuthn
registrations. As mentioned in #232669 (closed), there's no way back disabling the feature flag, because WebAuthn
registrations cannot be converted back to U2F
registrations.
Owners
- Team: ~"group::access"
- Most appropriate slack channel to reach out to:
#g_manage_access
- Best individual to reach out to:
@ifarkas
- PM:
@hsutor
Stakeholders
The Rollout Plan
Unfortunately, the options for rollout are limited. The feature flag is global without any actor: we cannot roll out incrementally or to specific users / groups / projects. We cannot disable it once it's turned on, because there's no WebAuthn -> U2F conversion. The proposed steps:
-
enable the feature flag on staging -
verify there's no bug / regression - before enabling the feature flag:
-
get at least 2 people (say, A
andB
) to register their device
-
- after enabling the feature flag:
-
get another 2 people (say, C
andD
) to register their device (so that they are directly registered via WebAuthn) -
get A
,B
,C
andD
to check if login works -
get A
,B
,C
andD
to remove the device on their accounts and see if login works fine without 2FA -
get A
,B
,C
andD
to re-register their device on their accounts and see if login still works
-
- before enabling the feature flag:
-
-
enable on production -
verify there's no bug / regression - before enabling the feature flag:
-
Get at least 2 people (say, A
andB
) to register their device
-
- after enabling the feature flag:
-
get another 2 people (say, C
andD
) to register their device (so that they are directly registered via WebAuthn) -
get A
,B
,C
andD
to check if login works -
get A
,B
,C
andD
to remove the device on their accounts and see if login works fine without 2FA -
get A
,B
,C
andD
to re-register their device on their accounts and see if login still works
-
- before enabling the feature flag:
-
-
make the feature flag default enabled: !50735 (merged)
Expectations
What are we expecting to happen?
Seamless upgrade from U2F to WebAuthn. Users should be able to use their existing U2F devices.
What might happen if this goes wrong?
User are not able to log in using U2F devices.
What can we monitor to detect problems with this?
- error rate on
/users/sign_in
endpoint (SessionsController#create
)
Rollback Steps
We cannot cleanly roll back the feature flag. An option is to disable the feature flag and delete all WebAuthn registrations that don't have associated U2F registration:
WebauthnRegistration.where(u2f_registration_id: nil).destroy_all