config/tfa: set UserVerificationPolicy to Discouraged
the current default is 'Preferred', which is not really useful, as the (web) client can simply change this to discouraged, since the webauthn_rs crate does not verify the 'user_verified' bit of the response in that case setting this to 'Required' is not really useful either at the moment, since a user can have a mix of different authenticators that may or may not support user verification there is ongoing discussion in the crate how to handle that[0] we could probably expose this setting(discouraged/required) to the user/admin and save it to the credential and allow only registering credentials of the same type or filter them out on login (i.e. if there is an authenticator that can handle userVerification, require it) in any case, the current default is not helpful for security, but makes loggin in harder, since the key will by default want to verify the user 0: https://github.com/kanidm/webauthn-rs/pull/49 Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
parent
3bb7e62e88
commit
7f37cacfac
@ -13,7 +13,7 @@ use openssl::pkey::PKey;
|
||||
use openssl::sign::Signer;
|
||||
use serde::{de::Deserializer, Deserialize, Serialize};
|
||||
use serde_json::Value;
|
||||
use webauthn_rs::Webauthn;
|
||||
use webauthn_rs::{proto::UserVerificationPolicy, Webauthn};
|
||||
|
||||
use webauthn_rs::proto::Credential as WebauthnCredential;
|
||||
|
||||
@ -804,7 +804,8 @@ impl TfaUserData {
|
||||
description: String,
|
||||
) -> Result<String, Error> {
|
||||
let userid_str = userid.to_string();
|
||||
let (challenge, state) = webauthn.generate_challenge_register(&userid_str, None)?;
|
||||
let (challenge, state) = webauthn
|
||||
.generate_challenge_register(&userid_str, Some(UserVerificationPolicy::Discouraged))?;
|
||||
let challenge_string = challenge.public_key.challenge.to_string();
|
||||
let challenge = serde_json::to_string(&challenge)?;
|
||||
|
||||
@ -923,7 +924,8 @@ impl TfaUserData {
|
||||
return Ok(None);
|
||||
}
|
||||
|
||||
let (challenge, state) = webauthn.generate_challenge_authenticate(creds, None)?;
|
||||
let (challenge, state) = webauthn
|
||||
.generate_challenge_authenticate(creds, Some(UserVerificationPolicy::Discouraged))?;
|
||||
let challenge_string = challenge.public_key.challenge.to_string();
|
||||
let mut data = TfaUserChallengeData::open(userid)?;
|
||||
data.inner
|
||||
|
Loading…
Reference in New Issue
Block a user