Right now every authorization rule that checks for webauthn must check to determine if webauthn is registered using multiple database queries.
We should consider an alternative. Perhaps at authentication time the Authentication or it's principal could be updated to indicate if a passkey is registered. Then we could use that for the authorization.
Another alternative (which I think I prefer) is to at authentication time look up what factors the user has enabled. For webauthn, we would check if they have a passkey registered and then specify that factor.
We could allow developers to customize that lookup process to view if things like OTT should be enabled (do they have an email or phone number registered?).
We'd then provide an AuthorizationManager that conditionally returns the factors that the user has registered for them.
NOTE: This could be a (partial) rewrite of some of the conditional MFA that we have
Right now every authorization rule that checks for webauthn must check to determine if webauthn is registered using multiple database queries.
We should consider an alternative. Perhaps at authentication time the Authentication or it's principal could be updated to indicate if a passkey is registered. Then we could use that for the authorization.
Another alternative (which I think I prefer) is to at authentication time look up what factors the user has enabled. For webauthn, we would check if they have a passkey registered and then specify that factor.
We could allow developers to customize that lookup process to view if things like OTT should be enabled (do they have an email or phone number registered?).
We'd then provide an AuthorizationManager that conditionally returns the factors that the user has registered for them.
NOTE: This could be a (partial) rewrite of some of the conditional MFA that we have