You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, passkeys can only be used as an MFA method.
We can add passkeys as a login method, allowing users to log into Panopticon using their passkey.
There are two types of passkeys we need to support:
Username + passkey (roaming authenticator)
Passkey only (resident authenticator)
⚠️ Resident authenticators are mostly useful with software-based passkeys such as TouchID / FaceID, Windows Hello, Android biometric lock, 1Password, etc. Hardware-based passkeys are impractical since the majority of hardware FIDO2 keys have a limited number of resident key slots (typically around 10).
At a System Configuration level you have the following options:
Login with passkey. Default: enabled
Bypass MFA when using a passkey. Default: yes
Disable password login when login with passkey is set up: Never, Always, Let the user decide. Default: Let the user decide.
Force login with passkey for these groups. Default: none selected.
A new area in the user account will let us manage login passkeys. Adding a new passkey will have an option for a resident or roaming passkey to let users determine which one they want to use.
If “Disable password login when login with passkey is set up” is set to “Let the user decide” AND there is at least one passkey set up show another option:
Disable password login. Default: no
⚠️ We are NOT going to use attestation because of the various problems it creates among cheaper authenticator options, as we found out contributing this feature to Joomla a few years ago.
The login page will have a Login with Passkey button below the login button if the feature is enabled.
If “Disable password login when login with passkey is set up” is a. set to Always; or b. set to “Let the user decide” and the user has enabled “Disable password login”:
always fail a password login attempt
disable password reset for the user
disable the password fields with a message that only logging in with a passkey is allowed (and ignore these fields in the controller, when saving the user)
if “Bypass MFA when using a passkey” is also enabled, disable MFA reset for the user
If the user is in a group listed in the “Force login with passkey for these groups”: restrict them to the user edit page upon login with a message that they need to set up a passkey. It's the same as the forced MFA.
If “Bypass MFA when using a passkey” is enabled and the user logged in with a passkey set the MFA success flag to true upon login so as to bypass MFA entirely.
The text was updated successfully, but these errors were encountered:
Currently, passkeys can only be used as an MFA method.
We can add passkeys as a login method, allowing users to log into Panopticon using their passkey.
There are two types of passkeys we need to support:
At a System Configuration level you have the following options:
A new area in the user account will let us manage login passkeys. Adding a new passkey will have an option for a resident or roaming passkey to let users determine which one they want to use.
If “Disable password login when login with passkey is set up” is set to “Let the user decide” AND there is at least one passkey set up show another option:
The login page will have a Login with Passkey button below the login button if the feature is enabled.
If “Disable password login when login with passkey is set up” is a. set to Always; or b. set to “Let the user decide” and the user has enabled “Disable password login”:
If the user is in a group listed in the “Force login with passkey for these groups”: restrict them to the user edit page upon login with a message that they need to set up a passkey. It's the same as the forced MFA.
If “Bypass MFA when using a passkey” is enabled and the user logged in with a passkey set the MFA success flag to true upon login so as to bypass MFA entirely.
The text was updated successfully, but these errors were encountered: