Skip to content

LG-10177: Always show Face / Touch Unlock in list of configured MFAs#8723

Merged
aduth merged 5 commits intomainfrom
aduth-lg-10177-face-touch-configured-mfas
Jul 10, 2023
Merged

LG-10177: Always show Face / Touch Unlock in list of configured MFAs#8723
aduth merged 5 commits intomainfrom
aduth-lg-10177-face-touch-configured-mfas

Conversation

@aduth
Copy link
Contributor

@aduth aduth commented Jul 6, 2023
edited
Loading

🎫 Ticket

LG-10177

🛠 Summary of changes

Removes behavior which would prevent a user from attempting to authenticate an existing WebAuthn configuration on a device which does not have a platform authenticator available (isUserVerifyingPlatformAuthenticatorAvailable).

Why? Because the user's credential may be accessible via cloud services regardless of the availability of a local platform authenticator. For example, a MacBook laptop that does not have a thumbprint reader may still be able to use an iCloud-synced WebAuthn credential.

📜 Testing Plan

  1. On a supported device (iOS 16+, Android), go to http://localhost:3000
  2. Create an account
  3. Select "Face or Touch Unlock" as your MFA method
  4. Continue account creation
  5. On a device which does not have a platform authenticator (e.g. laptop without thumbprint reader, maybe a virtual machine, or Firefox browser), go to http://localhost:3000
  6. Sign in to the account created between steps 2-4
  7. Observe that you are not redirected to an error page when clicking "Use Face or Touch Unlock"
  8. Click "Choose another method"
  9. Observe that the "Face or Touch Unlock" option is included in the list of configured MFA methods

👀 Screenshots

Screen Before After
Authenticate Screen Shot 2023-07-06 at 3 37 17 PM Screen Shot 2023-07-06 at 3 38 10 PM
MFA List Screen Shot 2023-07-06 at 3 35 18 PM Screen Shot 2023-07-06 at 3 35 11 PM

† Note that the Firefox experience of prompting for Security Key here is far from ideal, though this is not the ideal use-case for platform authenticators, since Firefox does not have any support for Passkeys at all.

@aduth aduth mentioned this pull request Jul 6, 2023
Merged
5 tasks
aduth
aduth commented Jul 6, 2023
View reviewed changes
spec/features/webauthn/hidden_spec.rb Outdated
Copy link
Contributor Author

@aduth aduth Jul 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be easiest to review this file with whitespace changes hidden:

https://github.com/18F/identity-idp/pull/8723/files?w=1

@aduth aduth marked this pull request as ready for review July 6, 2023 20:47
@aduth aduth requested a review from a team July 6, 2023 20:47
@aduth aduth marked this pull request as draft July 7, 2023 12:56
@aduth aduth force-pushed the aduth-lg-10177-face-touch-configured-mfas branch from 752dcc6 to 0227d00 Compare July 7, 2023 15:22
@aduth aduth marked this pull request as ready for review July 7, 2023 16:29
zachmargolis
zachmargolis approved these changes Jul 7, 2023
View reviewed changes
Copy link
Contributor

@zachmargolis zachmargolis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aduth aduth merged commit cf4faa5 into main Jul 10, 2023
@aduth aduth deleted the aduth-lg-10177-face-touch-configured-mfas branch July 10, 2023 12:35
@aduth aduth mentioned this pull request Jul 10, 2023
Merged
This was referenced Jul 10, 2023
Closed
Merged
@aduth aduth mentioned this pull request Aug 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmdembe jmdembe jmdembe approved these changes

+1 more reviewer

@zachmargolis zachmargolis zachmargolis approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aduth @zachmargolis @jmdembe