gimme-aws-creds
gimme-aws-creds copied to clipboard
Nike-Inc
It should be possible to name existing webauthn authenticators.
When a user already has webauthn authenticators setup with Okta, and they have more than one, it would be quite helpful if they could provide names or aliases so that they can select the authenticator that they have on hand.
Expected Behavior
When using an 'unnamed' webauthn authenticator, we should prompt for a name or alias on successful use.
After that, we should include that name or alias when printing the list of possible MFA factors.
Current Behavior
Today, you will have multiple entries like:
Multi-factor Authentication required.
Pick a factor:
[0] webauthn: Authenticator
[1] webauthn: Authenticator
With the suggested behavior, you would instead get something like:
Multi-factor Authentication required.
Pick a factor:
[0] webauthn: Authenticator
[1] webauthn: Desktop Yubikey
Possible Solution
PR incoming.
A further possible enhancement would be to get a list of webauthn devices currently connected, and if there is a single webauthn device matching the list of possible webauthn devices from Okta only list that device.
However that is definitely a more involved change,
Steps to Reproduce (for bugs)
Register multiple webauthn authenticators through the Okta web interface, attempt to authenticate with gimme-aws-creds, and make a guess as to which option is the authenticator currently plugged in.
Context
Trying to guess which entry is the connected device is a poor experience, and it definitely made me second guess myself at first.
Your Environment
- App Version used: Current git HEAD, 96064117205a57a0e2850e7eb905070e1024691b
- Operating System and version: MacOS Monterey, Version 12.5.1
