WebAuthn / FIDO2 / 2fa: allow discoverable or non-discoverable passkeys #57151
+329
−115
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
swissbit-eis-admin
requested review from
leftybournes,
nfebe,
skjnldsv,
sorbaugh and
yemkareems
and removed request for
a team
This was referenced Dec 17, 2025
swissbit-eis-admin
changed the title
8 tasks
swissbit-eis-admin
changed the title
swissbit-eis-admin
force-pushed
the
fido2-optional-discoverable-credentials
branch
2 times, most recently
from
b70e65a to
9da50df
Compare
…oice - Let users choose during registration whether a passkey is stored as a discoverable credential; retry with the legacy flow if the authenticator can't do resident keys. - Simplify “Log in with a device”: a single field now accepts an optional login/email, using discoverable credentials when left empty and falling back gracefully otherwise. - Backend/WebAuthn services updated to handle optional usernames and return the credential source so the UID can be derived from the authenticator. Signed-off-by: swissbit-eis-admin <[email protected]>
swissbit-eis-admin
force-pushed
the
fido2-optional-discoverable-credentials
branch
from
9da50df to
6606ccb
Compare
Signed-off-by: swissbit-eis-admin <[email protected]>
Signed-off-by: swissbit-eis-admin <[email protected]>
…ical and more user centric wording Signed-off-by: swissbit-eis-admin <[email protected]>
Signed-off-by: swissbit-eis-admin <[email protected]>
Author
|
@ChristophWurst can you give me feedback to my PR? The idea was to extend Passkey Support by discoverable credentials (new), keep existing functionality for existing password less login (keep) and rephrase the technical wording (webauthn) to a more standard user centric view (modified). Thank you. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please refer to PR to stable32: #57154
Both have similar function
Summary
This allows user to register discoverable and non-discoverable FIDO2 passkeys in user settings.
If user tries to login with second factor and omits email login -> discoverable credential attempted
if user fills in email at login -> classic host side credentials are used.
TODO
Checklist
3. to review, feature component)stable32)