Skip to content

Commit

Permalink
feat(session): webauthn can now be a first factor as well
Browse files Browse the repository at this point in the history
  • Loading branch information
@aeneasr
aeneasr committed Mar 7, 2022
1 parent 1a8b256 commit 861bee0
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
5 changes: 5 additions & 0 deletions identity/aal.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ func DetermineAAL(cts []CredentialsType) AuthenticatorAssuranceLevel {

var firstFactor bool
var secondFactor bool
var foundWebAuthn bool
for _, a := range cts {
switch a {
case CredentialsTypeRecoveryLink:
Expand All @@ -21,13 +22,17 @@ func DetermineAAL(cts []CredentialsType) AuthenticatorAssuranceLevel {
secondFactor = true
case CredentialsTypeWebAuthn:
secondFactor = true
foundWebAuthn = true
}
}

if firstFactor && secondFactor {
aal = AuthenticatorAssuranceLevel2
} else if firstFactor {
aal = AuthenticatorAssuranceLevel1
} else if foundWebAuthn {
// If none of the above match but WebAuthn is set, we have AAL1
aal = AuthenticatorAssuranceLevel1
}

// Using only the second factor is not enough for any type of assurance.
Expand Down
7 changes: 7 additions & 0 deletions identity/aal_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,13 @@ func TestDetermineAAL(t *testing.T) {
},
expected: AuthenticatorAssuranceLevel2,
},
{
d: "webauthn only is aal1",
methods: []CredentialsType{
CredentialsTypeWebAuthn,
},
expected: AuthenticatorAssuranceLevel1,
},
} {
t.Run("case="+tc.d, func(t *testing.T) {
assert.Equal(t, tc.expected, DetermineAAL(tc.methods))
Expand Down

0 comments on commit 861bee0

Please sign in to comment.