Passkey Settings

[usatony]

Hi,

I've just gotten started with Kratos (and computer engineering) and have built a custom UI. It has honestly been tough, but I have absolutely loved the challenge!

A few ideas about Passkeys:

1. Can we add a configuration key, like method.passkey.assurance_level, where we can set the value to either aal1 or aal2? After all, passkey use requires something you have (the passkey-containing device) plus either something you know (a code) or something you are (your face or fingerprint).

Alternatively, perhaps it would be cleaner to add a hook named aal2_stepup to selfservice.flows.login.after.password/webauthn/code/etc.hooks so that, if a user tries to log in using only those methods, at the end of the normal flow, they get an aal2 stepup requirement prior to the login flow completing and the session cookie being issued.

Ideally, if the user sets a passkey, I'd like them to be able to log in with just the passkey. If they do not set a passkey, I'd like to require them to submit two authentication factors with one factor being a password (password + TOTP, password + WebAuthn, password + emailed code, etc.). But I cannot do this. If I require aal2, I can't get the speedy passkey login experience I want.

2. Is there any discussion about implementing automatic passkey upgrades? An automatic passkey upgrade is a WebAuthn feature that allows users to replace passwords with passkeys without requiring additional user actions. Users autofill their password and in the background a new passkey is created and stored in the user's credential manager.

selfservice.methods.passkey.auto_upgrade: true could turn it on.

I think this would greatly benefit the cause of account security.

Thanks for your consideration. I'm pretty new at programming and even newer to Kratos, Docker, Google Cloud, and GitHub, so I apologize in advance if I didn't use precise terminology of if what I am requesting either already exists or would pose a ridiculous security problem.

P.S. Sorry if this is the wrong place to ask this especially since it's off-topic, but is there any better way of replacing the default Kratos message responses in my custom UI than what I'm doing? I basically have a JavaScript function scan for the presence of any message IDs. If present, the function searches the keys in a dictionary for a match. If there's a match, the Kratos message gets replaced with the matching id's value from within the dictionary. Is this really the best I can do here other than forking Kratos and changing the default messages within the code? Also, is there an index somewhere of every message ID and code? The trial and error aspect of finding id numbers has been rough. Thanks again!

[vinckr]

Hello @usatony
great to have you.
Maybe my colleague @jhickmanit can comment on the Passkey idea, thats sort of his speciality 😁

As for your off-topic questions

is there any better way of replacing the default Kratos message responses in my custom UI than what I'm doing?

What you’re doing (mapping Kratos message IDs to your own texts) is exactly what those IDs are meant for. A lookup table keyed by id is the intended customization mechanism for a custom UI. You don’t need to fork Kratos for this.

, is there an index somewhere of every message ID and code?

Yes, you can find them here in the docs

[usatony]

Thanks so much for your reply and direction! I really appreciate it.