Web Authentication , shortened as WebAuthn, is a standard method by which a web browser can authenticate to an application (Relying Party, in our case, this is LemonLDAP::NG) through the use of an Authenticator, which can be a hardware token (USB, NFC…) or provided by the user’s device itself (TPM).
New in version 2.0.14: Currently, we only implement WebAuthn as a second factor. Passwordless, first-factor authentication will be added in a later release.
Currently, we implement:
You need to install the Authen::WebAuthn CPAN module for WebAuthn to work on your LemonLDAP::NG installation. If there is no package for it in your distribution, you can install it with:
cpanm Authen::WebAuthn
WebAuthn is compatible with both FIDO and FIDO2 standards. Which means this module lets you use any U2F-compatible device you already own.
You can use the lemonldap-ng-sessions
tool to migrate existing U2F devices to the WebAuthn plugin
# For one user
lemonldap-ng-sessions secondfactors migrateu2f dwho
# For all users
lemonldap-ng-sessions secondfactors migrateu2f --all
Once you are satisfied with WebAuthn, you can remove existing U2F devices and disable the U2F second factor module
# For one user
lemonldap-ng-sessions secondfactors delType dwho U2F
# For all users
lemonldap-ng-sessions secondfactors delType --all U2F