Skip to content

Better Security: WebAuthn should be allowed without using TOTP

WebAuthn should be allowed without first enabling TOTP.

Reason: I want to log into GitLab on the phone. If I have my password manager AND my TOTP app on the phone, then there's no 2nd factor at all, as both are in the same place.

Currently my options are to not log in on the phone or buy another phone for the TOTP secret, both are options, which are ridiculously annoying, when I could simply use a Yubikey or another WebAuthn-compatible device with the phone.

Also, hardware tokens do work with phones. There's USB-C nowadays and many tokens have USB-C. If not, a USB-C to USB-A adapter can be used. Some even have NFC. For iPhones, there are even tokens with a Lightning™ plug, but iPhones will move to USB-C over the next few years anyway.

Gitlab.com does it like this and they do not force their users to enable the less secure 2FA method in order to use the better one.

Please don't force people to use TOTP as well just because it is a default setting.

There's no reason why a user should have to first set up TOTP just to then use WebAuthn.

The corresponding setting: webauthn_without_totp Docs: https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#set-up-a-webauthn-device

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information