NHAS
commented
5 months ago I don't know what you mean by this. My webauthn implementation doesn't support or require a password.
Closed krambrock closed 2 months ago
NHAS
commented
5 months ago I don't know what you mean by this. My webauthn implementation doesn't support or require a password.
krambrock
commented
5 months ago Thanks for the fast answer.
This happens to me when I register a YubiKey with google or proxmox:
And this happens to me when I register it to wag:
As I said I browsed a bit through the code and I did not find anything. It is not super-important, I would just not use external keys then with wag.
NHAS
commented
5 months ago This looks like it's using the windows hello based webauthn instead of the physical security key.
I use webauthn with a u2f key and I do not get a prompt like this.
krambrock
commented
5 months ago Good to know that it works for you, I'll check my setup then. It is definitely the key, though. I entered a password once, and the key had a password at that time.
krambrock
commented
5 months ago I found a detailed destription why this is happening in mastodon (https://github.com/mastodon/mastodon/pull/16545) together with a two-line change in Ruby (https://github.com/mastodon/mastodon/pull/16545/commits/11a78615d6fc5564cbbae1d280b339b00c6a3239).
The summary: If the userVerification is to preferred (probably the default) and you use a fido2 key that support a pin in windows then the pin it is requested and you cannot avoid setting it. This is also descibed in https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/User_Presence_vs_User_Verification.html.
The solution would be to set it to discouraged, like in the mastodon commit. Changes could maybe be done in this two places:
Maybe I'll look into it myself when I got a Go setup running.
NHAS
commented
5 months ago Sweet! Thanks for finding that, I'll have a look at setting it in wag.
Just as there is on-going work this change might not be released for quite some time
krambrock
commented
4 months ago I found a workaround with a YubiKey (other keys will probably provide something simelar). Just disable the Fido2 functionallity of your key before registering it and leave the u2f function activated:
After you registered you can re-enable the Fido2 functionallity. I think it still makes sense to change the setting but with this workaround it might be low-priority.
NHAS
commented
2 months ago This is now on unstable, thanks for the excellent recommendation and resources!
When using a YubiKey for WebAuthn MFA, a password is mandatory for the key. Other platforms and applications (such as Google and Proxmox) permit the use of the key without a password, which, in my opinion, is more practical as a second factor of authentication.
I've briefly looked through the code in your repository at https://github.com/NHAS/webauthn but couldn't pinpoint the exact location where this configuration might be modified. Could you provide some guidance on how to adjust this setting?