Passkeys / WebAuthn¶
Authentication |
Users |
Password |
---|---|---|
✔ |
New in version 2.20.0.
Presentation¶
This mode allow you to authenticate to LemonLDAP::NG using nothing but your FIDO2 credential.
Requirements¶
As of version 2.20.0, authenticating with Passkeys requires enabling WebAuthn as a second factor
Important
Passkeys require the Use discoverable credential option to be set to preferred or required
Non-discoverable credentials can only be used as second factors
Configuring passkeys as an alternate authentication method¶
The simplest way to use Passkeys is to enable Backend choice by users and add a new authentication choice using the WebAuthn module and your usual LDAP/AD/etc. user backend, in addition to another (LDAP/AD/etc.) authentication backend that users can use on their first login to register their passwordless credential.
Passwordless credentials have to be registered in the portal’s Second factor manager at the moment.
Tips¶
Custom second factor activation rule¶
If you used custom rule to trigger WebAuthn second factors, you may notice that WebAuthn is asked twice in order to authenticate with passkeys. In order to prevent this, add
and $_auth ne "WebAuthn"
to the WebAuthn activation rule.
You should also add this rule if you have enabled other 2FA types and want to skip them after authenticating with WebAuthn