authentik
authentik copied to clipboard
goauthentik
authenticator_validate remember device class
Is your feature request related to a problem? Please describe. I have configured multiple 2fa devices for backup. Always need to choose my primary 2fa device.
Describe the solution you'd like
Default 2fa device in flow should be last used or an device configured as primary one.
2fa flow should not require an click to choose a preset/last used auth device.
Last used should be possible, because the pk of the mfa devices get stored in event logs
We don't have exactly this, but there is the option to remember a 2fa authentication for a certain amount of time and allow the user to skip that
Nice feature, but this lacks on the security aspect.
Another idea would be to preselect WebAuthn Device if a device is present (is plugged into the USB port). Is the WebUSB/WebAuthn Api in the selection screen available?
I'm not sure if it's possible to detect that (especially without any additional popups)
Your request makes sense as is and we'll add this in the future at some point
My idea would be to implement the check via the WebUSB Api at start of the MFA selection dialog and do auto selection if a WebAuthn device is present.
(Sadly the WebAuthn Api does not provide such function, or did I missed smth?)
In my point of view there are two aspects to clarify:
- How fast is the USB detection? For me a few seconds delay would be acceptable
- Where do we get a fully list of USB IDs of WebAuthn devices like Yubikey? Is this community big enough?
Our eventual implementation for this would save the last used authenticator for a pending user, there was the idea of saving this as a cookie like the validation does, however that would only save this on a specific device and not centrally per-user. (Also feel free to open a PR to add this)