On 09/04/2022 20.50, Dan Davis wrote:
> MFA is typically built with some form of federated login
I am not sure that this is "typical", but I agree that many
organizations want to manage keys in a single place. The trouble with
WebAuthn is that is a challenge-response protocol, so you cannot just
use any existing authentication protocol and replace the traditional
password by an OTP.
I am not aware of any open protocol for doing federated WebAuthn (or
federated MFA in general) yet, but I must also admit that I didn't know
many of the acronyms from Dan's mail.
It seems to me like this is similar to AuthenticationBackend: there
could be a ModelBackend (provided by django) that stores MFA keys in a
model. But then there could also be other (third party) backends that
implement different federation protocols.
I think we need answers for the following challenges:
- How do we deal with the explosion of combinations? There are already
different AuthenticationBackends. To that we would add different MFA
protocols (TOTP, WebAuthn, …) and different MFA federation protocols.
For most of these it is mix-and-match. But in same cases the three
levels might also be tightly coupled.
- MFA often requires a two step authentication flow, either because we
need to generate a user-specific challenge or because we need to check
whether MFA is activated for this particular user. We need to figure out
how to support this in LoginView, especially the weird "half
- Different protocols need different UI (e.g. "enter a 6-digit code" for
OTP or "activate your token" for WebAuthn).