Remove TOTP requirement for WebAuthn (!111769) · Merge requests · GitLab.org / GitLab

Aboobacker MK requested to merge remove-totp-req-webauthn-backend into master Feb 13, 2023

What does this MR do and why?

This is the first set of backend changes for #378844 (closed). This MR removes the requirement that Time-based OTP needs to be enabled for Webauthn to work.

Screenshots or screen recordings

This MR is purely backend changes, there won't be any visible changes for the end user

How to set up and validate locally

To test the controller with the webauthn_without_totp enable:

In rails console, run: Feature.enable(:webauthn_without_totp)
Apply the frontend MR: curl https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111659.diff | git apply
Register webauthn device
Save backup codes and click on "Proceed" button
Webauthn registration success message should be shown on page
Visiting https://gdk.test:3443/-/profile/two_factor_auth should show your registered Webauthn device
Sign out of GitLab and back in, Webauthn validation should be required in login flow and allow you to complete login.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Feb 13, 2023 by Eduardo Sanz García

Remove TOTP requirement for WebAuthn

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports