Make externally-provisionned yubikeys easier to configure
Summary
Our documentation mentions that it's possible to provision Yubikeys externally (in my use case a custom attribute in an AD server) by crafting _2fDevices
with a macro.
This works, but it becomes extremely complicated to do if we also want to support self-registered TOTP. Because now we have to merge existing _2fDevices
with the new one.
Again, it's possible, with some arcane Perl syntax, but I think none of our users can manage to do it and keep their sanity.
It would be so, so much easier to have a manager field that lets the user specify a session key in which the Yubikey ID is stored, and make the Yubikey code look directly into it
Design proposition
Seems easy to implement:
- Add an optional "Lookup Yubikey ID in session attribute" option
- If this attribute is set use it, maybe fallback to registered 2F devices
- If this attribute is not set, use registered 2F devices as we currently do