https://www.ory.sh/ logo
Join Slack
Powered by
What does it mean when an issue is added to the st...
# talk-kratos
m
What does it mean when an issue is added to the stable release milestone? Does it mean it's already out or that it will be soon? Specifically I noticed some PRs merge with passwordless auth (magic link) so I'm not sure if thats ready yet or not
c
I would like to know about passwordless auth as well
m
Hey guys, see our Open Source Roadmap. If an issue is added to the stable release milestones, that means we are planning (from Ory team) to close this issue when we release Kratos 1.0. It could also mean that someone from the community made a commitment to implement this. I am not 100% sure about the state of passwordless, but if the question is when it is available & released, the best answer I can give is
when its done
(that being said I think it is a matter of a few weeks) (as always milestones are subject to change) This helps to prevent maintainer burnout and allows us to keep the quality stellar, I hope you understand 🙏
m
Of course, totally understand! Just was confused about the status
đź‘Ť 1
d
Hello, does this passwordless authentication mean login with a link only, or loggin in with TOTP, for example? I found this issue that seems to be on-topic, but open https://github.com/ory/kratos/issues/2029.
If this corresponds, this might need to be added to the milestone.
m
Passwordless as it is implemented in Ory at the moment means with a link or through WebAuthn/FIDO (FaceID, ect.) - “TOTP passwordless” is still an open issue.
d
Yes, what I'm aiming at, and @modern-controller-1963 as well, is a magic link, which has no password and no other factor than submitting an email and clicking the link in the email message. So no 2FA/MFA.
To give a bit more context: we want to provide three levels of security for our users. 1. For onboarding, users only need to provide an email address and check a box. Now they're "in", so we can provide services that aren't sensitive to security threats. 2. For more advanced features, we require users to set a password. 3. For highly sensitive features, such as financial transactions, we require a MFA/2FA authentication method. Which one remains TBD. But our product owner finds it essential that the onboarding has a sharp conversion rate, so removing any barriers, including password setting, is a requirement.
m
That makes sense yes. I am not sure how to get around the password setting, since Kratos requires some kind of credential. You could add a random password to the account until they reach the second stage maybe? Not sure if that is a security issue. In any case you can use the verification flow to generate a link that is sent by email and gives the user a session when they click it. You can then use custom email templates so they get a “normal” login email, not the verification one. The third stage which requires MFA you can implement with aal. Does this sound right to you as well @proud-plumber-24205?
p
No I don't think there is any way around adding a credential from the user side, e.g. passwordless through Webauthn or actual password. Setting a random password for the user might be a security risk since you might end up hacking together something that leaks the password or creates a loophole in the system. The current flow in Kratos is designed to be secure no matter which device is using it, e.g. native or browser.
m
I think in that case this would be a good feature request @damp-fireman-50971, I think your use case makes a lot of sense and will probably be well received by the rest of the community as well! Would you be willing to open one and provide a few details on the problem and ideal solution, that would help us a lot to keep track of it, triage and implement eventually: https://github.com/ory/kratos/issues/new?assignees=&labels=feat&template=FEATURE-REQUEST.yml Thanks 🙏
d
I certainly would, thanks! I'll take the time for this tomorrow.
I did not find the time today, but I've time-boxed to describe it on Monday.
3 Views
Open in Slack
PreviousNext
Powered by