Unified login with email ("magic") link login + webauthn

[rsyring]

I'm trying to build a passwordless login that works with either an email login link or a webauthn device. Either would replace password based login and there would be no 2FA methods (beyond whatever are implicit in webauthn as the primary method).

The docs indicate passwordless is deprecated and unified sign-in should be used instead. But unified sign-in doesn't seem to support webauthn as it's methods are:

["password", "email", "authenticator", "sms"]

Is there a way to get passwordless email + webauthn out of the current flask-security implementation? If so, any tips on how to get there?

Thanks.

[jwag956]

They are separate features - but no reason they cant both be enabled:

SECURITY_WEBAUTHN=True
SECURITY_UNIFIED_SIGNIN=True
SECURITY_US_ENABLED_METHODS=["email"]
SECURITY_US_SIGNIN_REPLACES_LOGIN=True

The default forms should work as is - of course you might want to improve the UX.

[rsyring]

Thanks for the reply. I headed that route initially and got error messages about qrcode library and TOTP settings, none of which seemed relevant to my use case. I can give it another go when I get back to the computer.

[jwag956]

Make sure you set US_ENABLED_METHODS - if 'authenticator' is in there - that requires qrcode.

Looking at the code - there is an overly aggressive config check which is causing the TOTP config issue - that's a bug - you'll need to provide the TOTP config - even though it wont be used. I'll file an issue.

[jwag956]

Oops - not enough coffee on a Sunday morning - the unified signin email magic link uses TOTP to generate the one-time code. So that must be configured.