tsh credential picker for passwordless
#13901
Assignees
Labels
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
passwordless
tsh
tsh - Teleport's command line tool for logging into nodes running Teleport.
Comments
codingllama
added
feature-request
|
The main problem I have here is a regression for Yubikey Bio UX, where we can't do one-tap logins anymore (because we need one tap to list credentials and another for the assertion). Tapping non-biometric keys is not a big deal, but you can't get away with any tap on Bio, which makes the extra tap a bit more annoying. The extra tap also increases the likelihood of the dreaded error 63 (see #13900). Edit: solved via a patch on go-libfido2. |
codingllama
added a commit
that referenced
this issue
Jul 1, 2022
Add a credential picker to the tsh FIDO2/WebAuthn backend. The PR pulls a recent patch in our go-libfido2 fork that makes it correctly return multiple assertions from the authenticator. This allows us to implement the credential picker for FIDO2, simplify our implementation and provide the exact same UX that browsers use (always 1-touch for bio, touch->PIN->touch otherwise). I've dropped concepts like "optimistic assertions" and "eager PIN prompts" in favor of a simple, uniform implementation. Issue #13901. * Prompt for credentials in LoginPrompt * Update go-libfido2 * Implement FIDO2 credential picker * Drop optimistic assertions, only set user if explicit * Add license to fido2_prompt_test.go
codingllama
added a commit
that referenced
this issue
Jul 1, 2022
Backport #14033 to branch/v10 Add a credential picker to the tsh FIDO2/WebAuthn backend. The PR pulls a recent patch in our go-libfido2 fork that makes it correctly return multiple assertions from the authenticator. This allows us to implement the credential picker for FIDO2, simplify our implementation and provide the exact same UX that browsers use (always 1-touch for bio, touch->PIN->touch otherwise). I've dropped concepts like "optimistic assertions" and "eager PIN prompts" in favor of a simple, uniform implementation. Issue #13901. * Prompt for credentials in LoginPrompt * Update go-libfido2 * Implement FIDO2 credential picker * Drop optimistic assertions, only set user if explicit * Add license to fido2_prompt_test.go
codingllama
changed the title
tsh credential picker for WebAuthn / Passwordlesstsh credential picker for passwordless
This was referenced Jul 14, 2022
codingllama
added a commit
that referenced
this issue
Jul 18, 2022
Allow explicit Touch ID prompts to be triggered via Go code, which will be used to guard the (upcoming) credential picker prompt. To avoid double-prompting users during Touch ID authentication we have to set a grace period in the underlying LAContext and share it between the functions. Note that AuthContextGuard (native) uses the LAContext explicitly, whereas Authenticate (native) uses it through the SecItemCopyMatching query dictionary. No UX visible changes are made in the PR, despite the fact that prompting occurs a bit earlier. #13901 * Allow explicit Touch ID prompts
codingllama
added a commit
that referenced
this issue
Jul 19, 2022
Implement the Touch ID credential picker. During passwordless authentication, when more than one login is present in Enclave credentials, `tsh` now asks the end user to pick their desired login. Credential picker terminal prompts are preceded by a system Touch ID prompt, which is then reused for authentication, provided less than 10 seconds pass in the meantime. I've done a couple of refactors to make the `CredentialInfo` structs similar between the `webauthncli` and `touchid` packages, so it's easier to trace parallels between them. #13901 * Refactor touchid.CredentialInfo * Refactor wancli.CredentialInfo * Move fido2_prompt*.go to prompt*.go * Define the touchid credential picker API * Add Touch ID credential picker tests * Implement touchid credential picker
codingllama
added a commit
that referenced
this issue
Jul 19, 2022
Allow explicit Touch ID prompts to be triggered via Go code, which will be used to guard the (upcoming) credential picker prompt. To avoid double-prompting users during Touch ID authentication we have to set a grace period in the underlying LAContext and share it between the functions. Note that AuthContextGuard (native) uses the LAContext explicitly, whereas Authenticate (native) uses it through the SecItemCopyMatching query dictionary. No UX visible changes are made in the PR, despite the fact that prompting occurs a bit earlier. #13901 * Allow explicit Touch ID prompts
codingllama
added a commit
that referenced
this issue
Jul 19, 2022
Implement the Touch ID credential picker. During passwordless authentication, when more than one login is present in Enclave credentials, `tsh` now asks the end user to pick their desired login. Credential picker terminal prompts are preceded by a system Touch ID prompt, which is then reused for authentication, provided less than 10 seconds pass in the meantime. I've done a couple of refactors to make the `CredentialInfo` structs similar between the `webauthncli` and `touchid` packages, so it's easier to trace parallels between them. #13901 * Refactor touchid.CredentialInfo * Refactor wancli.CredentialInfo * Move fido2_prompt*.go to prompt*.go * Define the touchid credential picker API * Add Touch ID credential picker tests * Implement touchid credential picker
codingllama
added a commit
that referenced
this issue
Jul 19, 2022
Implement the Touch ID credential picker. During passwordless authentication, when more than one login is present in Enclave credentials, `tsh` now asks the end user to pick their desired login. Credential picker terminal prompts are preceded by a system Touch ID prompt, which is then reused for authentication, provided less than 10 seconds pass in the meantime. I've done a couple of refactors to make the `CredentialInfo` structs similar between the `webauthncli` and `touchid` packages, so it's easier to trace parallels between them. To avoid double-prompting users during Touch ID authentication we have to set a grace period in the underlying LAContext and share it between the functions. Note that AuthContextGuard (native) uses the LAContext explicitly, whereas Authenticate (native) uses it through the SecItemCopyMatching query dictionary. #14493: * Refactor touchid.CredentialInfo * Refactor wancli.CredentialInfo * Move fido2_prompt*.go to prompt*.go * Define the touchid credential picker API * Add Touch ID credential picker tests * Implement touchid credential picker #13901: * Allow explicit Touch ID prompts Backports #14492 and #14493. Closes #13901.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like Teleport to do?
Provide a credential picker for FIDO2/Touch ID passwordless, similar to browsers, instead of relying exclusively on
--user.The "credential picker" was initially proposed in the passwordless design docs, but cut in favor of
--userin the preview for various reasons. Seeteleport/rfd/0053-passwordless-fido2.md
Line 144 in a46c991
What problem does this solve?
It makes the passwordless UX better.
If a workaround exists, please include it.
Not applicable.
The text was updated successfully, but these errors were encountered: