Remove OTP from being required before WebAuthn Device is registered
🎨 Figma work file
Background
In Support WebAuthn as 2FA method (#232669 - closed), GitLab added support for WebAuthn devices. There is a requirement to register a two factor authentication app before a WebAuthn Device can be added:
The reason this was originally added was to ensure there was a different backup method in place, because webauthn can cause customer confusion and require a large support burden with 2FA resets if there is no non-webauthn backup method configured. We currently don't offer 2FA resets to our Free customers.
However, if TOTP is required as a backup for webauth, it compromises the security of webauthn - your security is only as strong as your weakest factor.
References
This was mentioned in Slack, and again - internal only.
Internal Discussion here
Proposal
It should not be required to configure TOTP before adding a webauthn device.
- User must download recovery codes before webauthn device can be added
- User still has the ability to set up TOTP, but it is not a requirement that it is added before webauthn device is added
- Text added that warns the user that they should have at least 2 factors for 2FA