Ability to toggle PIN verification for Yubikey MFA

[deusxanima]

What would you like Teleport to do? Customers have requested the ability to toggle FIDO PIN verification when configuring Teleport MFA w/ Yubikeys.

Potential solution put forward by dev:

# teleport.yaml
auth_service:
  authentication:
    type: local
    second_factor: on # anything that allows webauthn
    webauthn:
      user_verification: required # <--this

What problem does this solve? Adding a prompt for the PIN would add an extra layer of security.

If a workaround exists, please include it. Currently none exists.

gz#5015

[codingllama]

Hey folks, I would just like to highlight a few requirements/caveats:

• PIN prompts require proper FIDO2/CTAP2 support on tsh, which we don't have atm for Teleport v9. The good news is that it is on track for the upcoming v10 release (closely related to #9160).

• The solution above would, theoretically, bump the user verification requirements for all MFA interactions. The ultimate decider on how to achieve verification (or to fail because it's not supported) is the authenticator. In the scenarios I tested, it has the effect of activating PIN prompts, but YMMV. Authenticators that support biometrics could (and usually do) skip PINs in favor of their normal bio check.

The TL;DR is that there isn't a "do a PIN prompt" toggle in WebAuthn. We ask for a stricter user verification requirement, then the authenticator decides how to do that.