Reputation: 807
Webauthn - adding a second MFA device
I have a use case I haven't seen described in various WebAuthn guides.
My website supports WebAuthn (e.g. is a Relying Party), and I want to offer Webauthn as a second authentication factor. The website requires 2FA for all users.
A user registers, and on first login, is required to set a second factor - say they choose WebAuthn with a platform (e.g. macbook) authenticator. All goes well, and the user can log in and out from their macbook just fine.
Now they want to access the website from their mobile device. They can't log into the website since it requires 2FA and the only registered 2FA mechanism is tied to a different device.
How could this solved without basically allowing the user to use just a single factor to log in and then be allowed to add a new second factor (seems like a bad security risk) OR forcing the user to add a non-WebAuthn second factor (such as SMS or authenticator app) from their macbook - and then sign in on the mobile device using that? If so then it would seem that WebAuthn doesn't really replace anything, it is an alternative with a potentially nicer UX.
Upvotes: 0
Views: 543
Answers (2)
Reputation: 1240
I somewhat disagree that this is a "drawback of WebAuthn'. WebAuthn is a browser API for public key credentials. Authenticator ecosystem is a whole different story. Today, for most 2FA scenarios, platform authenticators are designed to provide step up on an existing known device for re-authenticating the user (privileged operations, payments, etc). That was the original design for platform authenticator usage in the 2FA scenario.
The concept of passkey (notice the lowercase p) is an industry wide effort to solve device loss scenarios. In many cases, specifically cross ecosystem, a passkey is a bootstrapping mechanism to then enroll a platform authenticator. Apple is offering this in tech preview to allow developers to play with it inside their iCloud Keychain-based ecosystem. Cross ecosystem usage is a big part of the passkey initiative and you'll hear a lot more about it in 2022.
Upvotes: 1
Reputation: 236
This is indeed one of the major drawbacks of WebAuthn. You have already mentioned some ways to add another device in your question. Let me add two thoughts:
For one you could trigger a "temporary protected single factor login" from within an MFA authenticated session. E.g., create and display a QR code containing a one-time-login on screen, scan it with the phone and register the phone's plattform authenticator. You might even add some OTP to the process to make it 2FA.
Besides that, Apple is working on Passkeys, which are basically cross-device synching plattform authenticators. Grab a coffee and have a read over here: https://www.hanko.io/blog/passkeys-part-1
Upvotes: 1
Related Questions
- Authenticate with webauthn using iphone on windows?
- Managing webauthn credentials across multiple devices
- How add two different tokens in ASP.NET Core Web API
- OAuth2 but require Multi-Factor Authentication (MFA)
- identityServer4 with Login Step-up and MFA
- Smartphone as Authenticator in WebAuthn
- Multiple authentication mechanisms in the same webapi controller
- Web API Multiple Authentication during login
- How do I add Google-Authenticator to a second phone/tablet (my backup 2FA) for Google-Accounts
- Create same access token for multiple devices