WebAuthn as a second factor
Web Authentication , shortened as WebAuthn, is a standard method by which a web browser can authenticate to an application (Relying Party, in our case, this is LemonLDAP::NG) through the use of an Authenticator, which can be a hardware token (USB, NFC…) or provided by the user’s device itself (TPM).
Tip
If you want to use Webauthn as first factor (also called passwordless), see dedicated documentation.
Implementation status
Currently, we implement:
Device registration without attestation validation (attestation type: None)
Authentication as a second factor with the registered device
Requirements
You need to install the Authen::WebAuthn CPAN module for WebAuthn to work on your LemonLDAP::NG installation.
For Debian:
apt install libauthen-webauthn-perl
For RHEL (>=8):
dnf install perl-Authen-WebAuthn
If there is no package for it in your distribution, you can install it with:
cpanm Authen::WebAuthn
Configuration
Activation: Set it to “on”.
Self registration: set it to “on” if users are authorized to register their keys
Allow user to remove WebAuthn: if enabled, user can unregister their WebAuthn devices
User verification: Whether or not LemonLDAP::NG requires the user to authenticate to their second factor device. Usually by entering a PIN code. Warning: The Required option is not supported by older U2F security keys.
Use discoverable credential: a private key that is associated with a user handle is generated on the authenticator
Attestation: Type of attestation to request from the authenticator. After enabling this you need to specify a list of trusted certificates
Attestation trusted certificates: A concatenation of PEM certificates that you trust for attestation
Relying Party display name: how the LemonLDAP::NG server will appear in the web browser messages displayed to the user
Relying Party ID: The domain name on which WebAuthn devices can be registered and used. It must be a non-public suffix of the portal’s hostname.
Send U2F AppID: send the string that declares which facets that belong to this application
User Display Name attribute: session attribute containing user display name
Default transports: Comma-separated list of transport hints sent to the web browser, if none are provided during registration
Authentication level: you can overwrite here auth level for WebAuthn registered users. Leave it blank keeps auth level provided by first authentication module (default: 2 for user/password based modules). It is recommended to set an higher value here if you want to give access to some apps only for enrolled users
Label (Optional): label that should be displayed to the user on the choice screen
Logo (Optional): logo file (in static/<skin> directory)
Attention
If you want to use a custom rule for “activation” and want to keep self-registration, you must add the following condition to the custom activation rule:
and has2f('WebAuthn')
Without this condition, WebAuthn device will be asked even for users who didn’t register one. This is automatically done when “activation” is simply set to “on”.
Provisioning
If you don’t want to use self-registration, set public part of user’s yubikey in Second Factor Devices array (JSON) in your user-database. Then map it to the _2fDevices attribute (see exported variables):
[{"name" : "MyFIDO2" , "type" : "WebAuthn" , "epoch":"1524078936"}, ...]
Migrating existing U2F devices
WebAuthn is compatible with both FIDO and FIDO2 standards. Which means this module lets you use any U2F-compatible device you already own.
You can use the lemonldap-ng-sessions
tool to migrate existing U2F devices to the WebAuthn plugin
# For one user
lemonldap-ng-sessions secondfactors migrateu2f dwho
# For all users
lemonldap-ng-sessions secondfactors migrateu2f --all
Once you are satisfied with WebAuthn, you can remove existing U2F devices and disable the U2F second factor module
# For one user
lemonldap-ng-sessions secondfactors delType dwho U2F
# For all users
lemonldap-ng-sessions secondfactors delType --all U2F