WebAuthn as a second factor

Web Authentication , shortened as WebAuthn, is a standard method by which a web browser can authenticate to an application (Relying Party, in our case, this is LemonLDAP::NG) through the use of an Authenticator, which can be a hardware token (USB, NFC…) or provided by the user’s device itself (TPM).

New in version 2.0.14: Currently, we only implement WebAuthn as a second factor. Passwordless, first-factor authentication will be added in a later release.

Implementation status

Currently, we implement:

  • Device registration without attestation validation (attestation type: None)

  • Authentication as a second factor with the registered device

Requirements

You need to install the Authen::WebAuthn CPAN module for WebAuthn to work on your LemonLDAP::NG installation. If there is no package for it in your distribution, you can install it with:

cpanm Authen::WebAuthn

Configuration

  • Activation: set it to “on”

  • Self registration: set it to “on” if users are authorized to register their keys.

  • Allow user to remove WebAuthn: If enabled, user can unregister their WebAuthn device.

  • User verification: Whether or not LemonLDAP::NG requires the user to authenticate to their second factor device. Usually by entering a PIN code. Warning: The Required option is not supported by older U2F security keys.

  • Attestation: Type of attestation to request from the authenticator. After enabling this you need to specify a list of trusted certificates

  • Attestation trusted certificates: A concatenation of PEM certificates that you trust for attestation

  • Relying Party display name: How the LemonLDAP::NG server will appear in the web browser messages displayed to the user

  • Relying Party ID: The domain name on which WebAuthn devices can be registered and used. It must be a non-public suffix of the portal’s hostname.

  • User Display Name attribute: session attribute containing user display name

  • Authentication level: you can overwrite here auth level for WebAuthn registered users. Leave it blank keeps auth level provided by first authentication module (default: 2 for user/password based modules). It is recommended to set an higher value here if you want to give access to some apps only for enrolled users

  • Label (Optional): label that should be displayed to the user on the choice screen

  • Logo (Optional): logo file (in static/<skin> directory)

Migrating existing U2F devices

WebAuthn is compatible with both FIDO and FIDO2 standards. Which means this module lets you use any U2F-compatible device you already own.

You can use the lemonldap-ng-sessions tool to migrate existing U2F devices to the WebAuthn plugin

# For one user
lemonldap-ng-sessions secondfactors migrateu2f dwho

# For all users
lemonldap-ng-sessions secondfactors migrateu2f --all

Once you are satisfied with WebAuthn, you can remove existing U2F devices and disable the U2F second factor module

# For one user
lemonldap-ng-sessions secondfactors delType dwho U2F

# For all users
lemonldap-ng-sessions secondfactors delType --all U2F