Fido2Agnostic
Login via FIDO2 or FIDO U2F (U2F can be disabled in configuration). Authentication is done by using a username and a pre-enrolled FIDO token.
Properties
Clarification regarding user verification
The "userVerificationRequirement" parameter can be used to enforce that no "one-factor" authentication is possible (a FIDO U2F token with no pin code or biometric authentication) by setting the value to 'required'. However, if you wish to support the legacy method FIDO U2F you may do so, and a method has been added such that you can enforce MFA in other ways via the 'unverifiedRequestParameter' configuration property. You may set this property to anything you wish, but by default the request parameter 'fidoUserUnverified' will be added to the request if no additional user verification has been done during the token authentication. You may want to set up a SequenceAuthenticator that prompts for a password after Fido2Agnostic has been run and set the 'fidoUserUnverified' parameter, or something similar. This property can be accessed within the Fido2Agnostic pipe via {{request.fidoUserUnverified}} or whatever you set the configuration property to be.
Example Configuration
{
"alias": "fidoauth",
"name": "Fido2Agnostic",
"configuration": {
"pipeID":"tokenPipe"
}
}
Requirements
User must have at least one FIDO token enrolled.