config/tfa: set UserVerificationPolicy to Discouraged

the current default is 'Preferred', which is not really useful, as the
(web) client can simply change this to discouraged, since the
webauthn_rs crate does not verify the 'user_verified' bit of the
response in that case

setting this to 'Required' is not really useful either at the moment,
since a user can have a mix of different authenticators that may or
may not support user verification

there is ongoing discussion in the crate how to handle that[0]

we could probably expose this setting(discouraged/required) to the user/admin
and save it to the credential and allow only registering credentials
of the same type or filter them out on login (i.e. if there is an
authenticator that can handle userVerification, require it)

in any case, the current default is not helpful for security, but
makes loggin in harder, since the key will by default want to verify
the user

0: https://github.com/kanidm/webauthn-rs/pull/49

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2021-02-25 10:01:19 +01:00 committed by Thomas Lamprecht
parent 3bb7e62e88
commit 7f37cacfac

View File

@ -13,7 +13,7 @@ use openssl::pkey::PKey;
use openssl::sign::Signer;
use serde::{de::Deserializer, Deserialize, Serialize};
use serde_json::Value;
use webauthn_rs::Webauthn;
use webauthn_rs::{proto::UserVerificationPolicy, Webauthn};
use webauthn_rs::proto::Credential as WebauthnCredential;
@ -804,7 +804,8 @@ impl TfaUserData {
description: String,
) -> Result<String, Error> {
let userid_str = userid.to_string();
let (challenge, state) = webauthn.generate_challenge_register(&userid_str, None)?;
let (challenge, state) = webauthn
.generate_challenge_register(&userid_str, Some(UserVerificationPolicy::Discouraged))?;
let challenge_string = challenge.public_key.challenge.to_string();
let challenge = serde_json::to_string(&challenge)?;
@ -923,7 +924,8 @@ impl TfaUserData {
return Ok(None);
}
let (challenge, state) = webauthn.generate_challenge_authenticate(creds, None)?;
let (challenge, state) = webauthn
.generate_challenge_authenticate(creds, Some(UserVerificationPolicy::Discouraged))?;
let challenge_string = challenge.public_key.challenge.to_string();
let mut data = TfaUserChallengeData::open(userid)?;
data.inner