Skip to content

LG-10286: Allow AAL2-restricted sign in to choose another option#8837

Merged
aduth merged 1 commit intomainfrom
aduth-lg-10286-strict-aal2-warning
Aug 1, 2023
Merged

LG-10286: Allow AAL2-restricted sign in to choose another option#8837
aduth merged 1 commit intomainfrom
aduth-lg-10286-strict-aal2-warning

Conversation

@aduth
Copy link
Contributor

@aduth aduth commented Jul 24, 2023

🎫 Ticket

LG-10286

🛠 Summary of changes

Updates AAL2 strict authentication requests to use a more standardized user flow, allowing a user to use all available methods supported for the request.

Previously, it would not be possible to use Face or Touch Unlock to sign in to a partner requesting phishing-resistant MFA.

With these changes, the user will always be given the option to "Choose another authentication method" when prompted for their MFA. If MFA options are limited due to request parameters of the partner, a warning will be shown on the MFA selection screen explaining why the options are limited.

Draft: Merges to #8834

📜 Testing Plan

  1. Go to http://localhost:3000
  2. Create an account with PIV/CAC as your MFA
  3. From account dashboard, click "Add Face or Touch Unlock" and complete enrollment
  4. From account dashboard, click "Security key' and complete enrollment
  5. From account dashboard, click "Forget all browsers" and complete this flow
  6. Sign out
  7. With example sample app running in a separate process, go to http://localhost:9292
  8. Under Options, select "Phishing-resistant AAL2" under "Authentication Assurance Level (AAL)"
  9. Click "Sign in"
  10. Sign in to the account you created
  11. Confirm that you are able to use any of your MFA methods to sign in

👀 Screenshots

Phishing Resistant Required:

Screen Before After
MFA selection N/A mfa-select-after
PIV authentication piv-before piv-after
Security Key authentication security-key-before security-key-after
Face/Touch authentication N/A ft-after

PIV/CAC Only:

Screen Before After
PIV authentication piv-only-before piv-only-after
MFA selection N/A piv-only-mfa-select-after

@aduth aduth requested a review from a team July 24, 2023 14:59
zachmargolis
zachmargolis reviewed Jul 24, 2023
View reviewed changes
@aduth aduth mentioned this pull request Jul 24, 2023
Merged
@aduth aduth marked this pull request as ready for review July 26, 2023 13:35
mdiarra3
mdiarra3 approved these changes Jul 26, 2023
View reviewed changes
Copy link
Contributor

@mdiarra3 mdiarra3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aduth
Copy link
Contributor Author

aduth commented Jul 27, 2023

Since this depends on / merges to #8834, I'm going to wait for that to be approved and merged, then rebase this against main for merge.

@aduth aduth force-pushed the aduth-lg-10286-mfa-troubleshooting branch from 50c9149 to 0d2968f Compare August 1, 2023 14:19
Base automatically changed from aduth-lg-10286-mfa-troubleshooting to main August 1, 2023 16:54
@aduth
LG-10286: Allow AAL2-restricted sign in to choose another option
b8339c7 
changelog: Bug Fixes, Sign In, Allow user to use all supported MFA methods in AAL2 strict authentication
@aduth aduth force-pushed the aduth-lg-10286-strict-aal2-warning branch from e3bb9b4 to b8339c7 Compare August 1, 2023 16:57
@aduth aduth merged commit 0defc7f into main Aug 1, 2023
@aduth aduth deleted the aduth-lg-10286-strict-aal2-warning branch August 1, 2023 17:11
@mitchellhenke mitchellhenke mentioned this pull request Aug 3, 2023
Merged
@aduth aduth mentioned this pull request Oct 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdiarra3 mdiarra3 mdiarra3 approved these changes

+1 more reviewer

@zachmargolis zachmargolis zachmargolis left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aduth @zachmargolis @mdiarra3