Page MenuHomePhabricator
Create Task
Maniphest T399648

Default to WebAuthn when available during login 2FA check
Closed, ResolvedPublic
Actions

Description

User Story:

As a user, when logging in, if a WebAuthn-based option (security key or other type of passkey) is registered, it will be presented as the default 2fa authenticator to login with.

Related Objects
Search...

Event Timeline

sbassett created this task.Jul 15 2025, 10:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 15 2025, 10:02 PM
Mstyles renamed this task from As a user, when logging in, if a FIDO-based option (security key or passkey) is registered, it will be presented as the default 2fa authenticator to login with. to Default to FIDO-based options when available.Jul 22 2025, 8:53 PM
Tgr subscribed.Jul 31 2025, 1:28 PM

Do we want to remember what the user used the last time, or always prioritize WebAuthn?

Since the selection of the default happens in OATHAuth but passkeys are handled in WebAuthn, we'll need a hook for this. At which point, we could implement this either generally or for Wikimedia only, with the same effort - which should it be?

Tgr renamed this task from Default to FIDO-based options when available to Default to WebAuthn when available during login 2FA check.Aug 1 2025, 3:42 PM
Tgr updated the task description. (Show Details)

Replaced "FIDO" with WebAuthn - I think the intent was the same but FIDO is less well-specified. Let me know if I misunderstood.

Tgr added a project: MediaWiki-extensions-OATHAuth.Aug 1 2025, 4:03 PM
EMill-WMF subscribed.Aug 8 2025, 9:14 AM

I believe we should always prioritize WebAuthn. If a user has a phishing-resistant option registered, we should be encouraging them to use it -- and also making it more noticeable if they actually do end up at a phishing site (which will not be able to offer a working WebAuthn UI). This will be especially important for users with extended rights and WMF staff that may be targeted for phishing. We can make it pretty easy for the user to select to use an alternative method to log in. I'm open to user feedback, and/or seeing it show up in analytics that users are switching to alternative methods more than we might expect and which seems high-friction, but I think we should start from a posture of WebAuthn-first.

Tgr added a comment.Aug 9 2025, 8:31 PM
In T399648#11050152, @Tgr wrote:

Since the selection of the default happens in OATHAuth but passkeys are handled in WebAuthn, we'll need a hook for this.

Or maybe we can just add a getPriority() method to IModule.

Mstyles moved this task from Backlog to Needed for Beta Deployment on the FY2025-26 WE4.6.2 Multiple Authenticators board.Sep 3 2025, 4:32 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Sep 16 2025, 7:48 PM
Mstyles closed this task as Resolved.Sep 19 2025, 5:49 PM
Mstyles claimed this task.

Marking this as resolved by T401777

Mstyles moved this task from Needed for Beta Deployment to Done on the FY2025-26 WE4.6.2 Multiple Authenticators board.Sep 19 2025, 5:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits