Restricting webauthn enrolment with LoA

The authoritative credential my users have is a smart card. I have an X509 flow set up to allow them to authenticate successfully.

I would like to enable my users to be able to enrol webauthn factors for increased convenience, but not without proof of possession of their smart card; they should not be able to use a webauthn factor to enrol more webauthn factors, but they should be allowed to enrol webauthn factors if they have authenticated via X509.

If you’re familiar with the concept of PIV derived credentials in the U.S. federal government space, I’m trying to achieve effectively the same thing.

The easiest way to achieve this seems to be by allowing access to account-console only for users with an ACR/LoA that reflects they authenticated via X509, but that doesn’t seem possible at the moment. Are there any other ways to achieve what I’m attempting here?

(I originally hijacked another thread with this issue, but it probably deserves its own discussion.)

One way to do this could be to ask the user (as an optional step) if they want to enroll a WebAuthn factor, such as passkeys, during the login process, but only after a successful X509 authentication step.

I implemented this a similar approach here [1]. In my case, it involved progressive passkey enrollment during the sign-in process.

[1] GitHub - embesozzi/keycloak-workshop-stepup-mfa-biometrics: Keycloak Workshop for Step Up with MFA Biometrics Authentication (Passkeys) and Passwordless experience with Passkeys

2 Likes