Page MenuHomePhabricator

Recovery option for Webauthn
Open, Needs TriagePublic

Description

Feature request: Recovery option for Webauthn before it's activated
Webauthn is active immediately without checking if the key works and without recovery options. If my key gets broken after the setup I loose my account. Github and Google have still recovery codes available.

Event Timeline

Der_Keks created this task.Feb 5 2020, 12:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 5 2020, 12:20 PM
Reedy added a subscriber: Reedy.EditedFeb 5 2020, 6:57 PM

Webauthn is active immediately without checking if the key works...

Well, no. You have to insert it and press it; that's checking if the key works

The rest of this request is basically T232336: Separate recovery codes into a separate MFA method

See also T242031: Allow multiple different 2FA devices and T230042: Allow multiple totp devices

jeblad added a subscriber: jeblad.May 23 2020, 12:03 PM

Seems like the setup fail on Firefox with my Yubikey.

If it is correct that log-in only depends on a single key, and I can't configure more keys or scratch codes, then this is terrifying.

You can add many/multiple different yubikeys, as per the "Add key" button

jeblad added a comment.EditedMay 23 2020, 1:31 PM

So, what about alternate MFA and in particular scratch codes?

Just tried to use password reset to see if that works without a key, and it asked for the key after using a temporary password. That is sort of correct, but it will not solve the problem with a broken key. I believe the same thing happen with a TOTP (will check tomorrow) but in that case scratch codes are available.

Reedy added a comment.May 23 2020, 2:08 PM

So, what about alternate MFA and in particular scratch codes?

Already answered in this ticket

Just tried to use password reset to see if that works without a key, and it asked for the key after using a temporary password. That is sort of correct, but it will not solve the problem with a broken key. I believe the same thing happen with a TOTP (will check tomorrow) but in that case scratch codes are available.

Which is why we've not rolled out 2FA more widely yet.

With solutions that include T180896: Allow functionaries to reset second factor on low-risk accounts

Posted a note at Torget and told people to use TOTP, this solution is not ready for production.