https://www.ory.sh/ logo
b

brainy-plumber-70688

04/21/2022, 10:52 PM
When you do passwordless, does it counts as AAL2?
m

magnificent-energy-493

04/22/2022, 6:46 AM
Yes, when you complete a second factor (
totp
,
lookup_secrets
,
webauthn
) that counts as AAL2
s

steep-lamp-91158

04/22/2022, 2:27 PM
AAL2 just means two factors, but it does not require any of them to be a password
b

brainy-plumber-70688

04/22/2022, 6:17 PM
@User got it. So from my understanding
webauthn
can work as
passwordless
and as
second factor
can it do both? One user has password, webauthn. Another user has webauthn and totp
s

steep-lamp-91158

04/22/2022, 7:20 PM
I mean, passwordless just means no password, and second factor means that there is a second factor I don't really see a dependency between the two terms?
b

brainy-plumber-70688

04/22/2022, 9:01 PM
@User https://www.ory.sh/docs/kratos/guides/two-factor-authentication-2fa-mfa#authenticator-assurance-level-aal Here aal2 explained as first (password or oidc) plus second (webauthn).
Ory's WebAuthN implementation can be used for both multi-factor authentication and passwordless authentication. You need to configure whether WebAuthn is used for passwordless, or for multi-factor authentication.
This implies that webauthn can only be either as "first" or as "second", but not was both. My question was can user decide how to use themselves, and looks like the answer is no.
s

steep-lamp-91158

04/23/2022, 2:27 PM
webauthn usually proves possession of a physical thing, which is one factor it wouldn't make much sense to use it twice, same as you don't have two passwords anywhere
but yeah, I also think it is not possible to have the user decide the order of auth methods
i.e.
Ory's WebAuthN implementation can be used for both multi-factor authentication and passwordless authentication. You need to configure whether WebAuthn is used for passwordless, or for multi-factor authentication.
b

brainy-plumber-70688

04/25/2022, 5:44 PM
Got it, thanks!
3 Views