-
New Feature
-
Resolution: Unresolved
-
Major
-
None
-
Future Dev
-
10
This is essentially the same request as MDL-61361 but the tech has improved vastly since then and this is all now viable.
Broadly the new specs allow someone to authenticate using their phones finger print or face id and this would replace their password. This leverages some of the same specs that allows yubikeys to work for MFA but this feature is not about adding a second factor it is about replacing the first password factor.
User A needs to have signed up with a password, or be in the process of signing up, and instead of being prompted to set or change their password they would be prompted to register a device passkey as well or instead of a password. The spec is really neat and makes it fairly easy for the user to sync the passkeys from one device to another (eg iCloud keychain), and reuse them between web apps and mobile apps, and also to more smoothly register additional devices which span different operating systems (using either bluetooth or one time qr codes).
In the context of moodle I do not think this should be a new authentication plugin, I think it should be a new core feature and work with any authentication plugin which supports local passwords as it is essentially an alternative to a password and a given user may have a password and multiple passkeys and all still need to work. The first step is probably just getting it working with the auth_manual and auth_email and maybe its just a new method where each plugin opts in to the new flow.
https://web.dev/passkey-form-autofill/
https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI
https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html
https://developer.apple.com/videos/play/wwdc2020/10670/
