WebAuthnReleaseNotes
- Philip Smart
1.1.0 (13th March 2025)
Getting issues...
This is both a bug and feature release of the WebAuthn plugin.
Configurable collection of credential nicknames
Nickname collection can now be disabled by setting the property idp.authn.webauthn.registration.nicknameRequired. This can streamline credential registration.
Credential filter policy
In addition to the Authentication Credential Policy, which determines whether the credential a user has used for authentication is accepted or rejected, a new Filter Policy engine can be implemented for passwordless and second-factor authentication flows. This engine restricts the credentials that users can use before they attempt to authenticate. This can not be applied to the usernameless mode, as the user (and credentials) are not identified until after the WebAuthn authentication ceremony has been performed.
Forced authentication for registration and management views
An oversight in the first version prevented the configuration of the registration and management views to require re-authentication (forceAuthn). This can now be achieved by setting either of the properties idp.authn.webauthn.admin.registration.forceAuthn or idp.authn.webauthn.admin.management.forceAuth.
Access control policy to guard against ‘weak’ authentication to the registration view
For the more cautious, a new access control policy is included in the distribution that guards against the use of ‘weak’ authentication methods from accessing the registration page if the user already has FIDO2 credentials. For example, as extra protection against using only single-factor Password authentication to access the registration page when the user has already registered a FIDO2 credential.
Note if you have another second-factor authentication method available you can already mandate the use of ‘strong’ authentication by setting the defaultAuthenticationMethods property. Also, now v1.1.0 allows you to force re-authentication, if you have a suitable MFA configuration, the guard is likely not needed (although you’d need to evaluate that).
Credential last used time
A new field has been added to the storage record to store the last used time of a credential.
In the default registration and management view templates, the ‘Registration Time’ column has been replaced with either ‘Registration Time’ or, if enabled, ‘Last Used Time’. You’d need to update your templates on upgrade if you wanted to add $cred.credentialRecord.lastUsedTime value (use the new templates as an example).
By default, this feature is disabled to preserve backward compatibility and to prevent additional writes to the storage service, likely a database. To enable, set the property idp.authn.webauthn.updateLastUsedTime to true.
If you enable this feature, you will no longer be able to revert to older versions of the plugin without either removing the lastUsedTime field from each credential registration or removing and re-registering the credential entirely.
1.0.0 (5th Dec 2024)
The first version of the WebAuthn plugin.
The WebAuthn login flow facilitates FIDO2 authentication within the Identity Provider (IdP) by utilizing the Web Authentication API. This enables strong, public-key-based authentication. The plugin can operate in various ways: as a single-factor option within a broader multi-factor authentication, as passwordless authentication after the user enters their username, or as usernameless authentication where the user is implicitly identified from the credential they choose.