Lack of WebAuthn 2FA for OpenID Users

[lina]

We noticed that when using OpenID in Proxmox, there is no option to set up WebAuthn as a second-factor authentication method. We would like to understand why this is not implemented and whether it can be enabled in the current version. If it is not available, is there a plan to develop this feature?


Having second-factor authentication verified directly on the Proxmox side would provide additional security. This would ensure that even if an OpenID account is compromised, an attacker would not be able to access Proxmox without WebAuthn authentication.

 

[crazywolf13]

I think afaik when using openid, it gives authentication to the provider, in my case authentik, where you can configure TOPT, hardware keys and such things.

However I just saw, that you can still activate WebAuthn and also TOPT when logging into the openid user and going to Datacenter->Permissions->Two-Factor

 

[lina]

I think afaik when using openid, it gives authentication to the provider, in my case authentik, where you can configure TOPT, hardware keys and such things.

However I just saw, that you can still activate WebAuthn and also TOPT when logging into the openid user and going to Datacenter->Permissions->Two-Factor

Yes, it exists, but you can't enable it as it constantly requires a password.
On the OpenID side, it's possible, but the point is to have the second factor verified on the Proxmox side. If OpenID is compromised, the attacker would still need to pass 2FA on Proxmox.