Skip to content

Ask for recovery code if WebAuthn is the only 2FA

Eduardo Sanz García requested to merge eduardosanz/webauthn-recovery-codes into master

What does this MR do and why?

When the feature flag webauthn_without_totp is enable, allow users to enter the recovery code in case WebAuthn is the only 2FA.

The change in wording in Show numeric keyboard on mobile for 2fa codes (!112202 - merged) I believe it will help for user with WebAuthn device but no TOTP.

Changelog: changed

Screenshots or screen recordings

No changes

How to set up and validate locally

  1. In rails console, enable the feature flag: Feature.enable(:webauthn_without_totp)
  2. Go to https://gdk.test:3443/-/profile/two_factor_auth
  3. Disable all current 2FA.
  4. Select Set up new device. It should be available even if the two-factor authentication using TOTP is disabled.
  5. Follow the workflow and set up new WebAuthn device. Save recovery codes.
  6. Sign out
  7. Sign in and cancel all prompts until you can enter the recovery code.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports

Loading