Skip to content

Draft: Enable WebAuthn device registration without TOTP

Eduardo Sanz García requested to merge eduardosanz/webauthn-without-totp into master

What does this MR do and why?

Replaced the JQuery application to register WebAuthn devices by a Vue component.

Made the WebAuthn device registration possible without TOTP. Therefore, the Set up new device is always available.

Increased security by adding a required password field to be able to register a new device.

We also introduced a few minor UI improvements.

Changelog: changed

Screenshots or screen recordings

before after
image image
image image
image image
image image
image image

The whole process using Chrome:

Screen_Recording_2023-02-10_at_09.56.35

How to set up and validate locally

  1. In rails console, enable the feature flag: Feature.enable(:webauthn_without_totp)
  2. Go to https://gdk.test:3443/-/profile/two_factor_auth
  3. Select Set up new device. It should be available even if the two-factor authentication using TOTP is disabled.
  4. Follow the workflow.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eduardo Sanz García

Merge request reports

Loading