How to run credential policies from the MFA flow
Description
Environment
Activity
Timo TunturiMarch 11, 2025 at 6:08 AM
Also I found that the canonicalization problem only happens when authenticating with a Yubikey. An Android phone with cross-device authentication works fine with canonicalization after the WebAuthn flow has been run.
Timo TunturiMarch 11, 2025 at 5:44 AM
Oh there is another thing that probably won’t work correctly during a reuse scenario: getActiveResults() from the MFA context. I am using the Password flow as a first factor for people who don’t have registered WebAuthn credentials and as additional User Verification after WebAuthn has been run in passwordless mode if the user or the credential indicates it. So the proceed-bean after authn/Password checks if getActiveResults() contains authn/WebAuthn or not to determine whether Password was used as a first factor or as additional User Verification for WebAuthn.
Timo TunturiMarch 11, 2025 at 5:08 AM
For the time being I am using from the WebAuthnAuthenticationContext in my mfa flow:
Login method: passwordless or second factor
Credential aaguid in guid string format
That data is used after a successful authn/WebAutn execution to determine if additional User Verification is necessary. I’m gonna have to wrap my head around the implications of the WebAuthnAuthenticationContext not being available in a reuse scenario. My session length is only 12h so I suppose the only thing that could change within that type of a timeframe would be the aaguid list of credentials that require additional user verification. That list doesn’t change often so it isn’t a huge deal. My mfa flow will just have to not croak when the WebAuthnAuthenticationContext isn’t available.
Generally speaking I do think that the useful stuff in the WebAuthnAuthenticationContext would be login method (usernameless/passwordless/second_factor) and the credential id of the credential that was used. With the credential id you could dig up the credential record from the store.
Philip SmartMarch 10, 2025 at 4:25 PMEdited
that will also apply to the WebAuthnAuthenticationContext: if the authn/WebAuthn result is reused the context will not exist (if you needed that in your flow after the first time it has run).
Philip SmartMarch 10, 2025 at 3:51 PMEdited
Yeah, thanks. Indeed it might be needed as part of an MFA flow where this result is re-used. So not serializing isn’t going to work.
Sometimes you would want to make decisions in the MFA flow based on the WebAuthn authentication a posteriori. You could for instance want to require additional user verification for some authenticators or some users.
This could be achieved by running policy beans from within the MFA flow. Policy beans are an interface that already exists for this kind of a thing although in a bit different context. You could also potentially reuse some code (policy beans) that already exists. Documenting a straightforward way to call policy beans from within the MFA flow makes sense.
In the future it might make sense to make the process more elegant but I don’t know what/how that would be.