diff --git a/lam/docs/manual-sources/appendix-security.xml b/lam/docs/manual-sources/appendix-security.xml
index 497b483b..0ed2b02f 100644
--- a/lam/docs/manual-sources/appendix-security.xml
+++ b/lam/docs/manual-sources/appendix-security.xml
@@ -445,4 +445,51 @@ semodule -i httpdlocal.pp
+
+
+ Webauthn/FIDO2
+
+ LAM allows to secure logins via Webauthn/FIDO2. This
+ means your users login with their LDAP password and an additional hardware
+ token (e.g. Yubico Security Key, Windows Hello and many more).
+
+ Webauthn/FIDO2 is a very strong 2-factor-authentication method as it
+ also checks the website domain. This prevents attacks via web
+ proxies.
+
+ To use this feature you need to activate the 2-factor authentication
+ in LAM.
+
+ LAM admin interface
+
+ Please activate Webauthn/FIDO2 in your LAM server profile. Then users
+ will be asked to authenticate via Webauthn/FIDO2 on each login.
+
+ If no device is registered for a user then LAM will ask for this
+ during login. Afterwards, users can manage their devices with the Webauthn tool.
+
+ LAM Self Service
+
+ Please activate Webauthn/FIDO2 in your LAM self service profile. Then users will
+ be asked to authenticate via Webauthn/FIDO2 on each login.
+
+ If no device is registered for a user then LAM will ask for this
+ during login. Afterwards, users can manage their devices with the Webauthn field.
+
+ Global device management
+
+ This is for cases where one of your users has no more access to his
+ device and cannot login anymore. In this case you can delete his device(s)
+ in the LAM main
+ configuration.
+
+ Note that devices can only be deleted. Registration of devices can
+ only be done by the user during login or on the management pages listed
+ above.
+
diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml
index dba4bed7..16b71aad 100644
--- a/lam/docs/manual-sources/chapter-configuration.xml
+++ b/lam/docs/manual-sources/chapter-configuration.xml
@@ -259,8 +259,11 @@
-
- Webauthn devices
+
+ Webauthn/FIDO2 devices
+
+ See the Webauthn/FIDO2 appendix
+ for an overview about Webauthn/FIDO2 in LAM.Here you can delete any webauthn device registrations. This
section is only shown if at least one device is registered.
@@ -655,7 +658,8 @@
- 2-factor authentication
+ 2-factor
+ authenticationLAM supports 2-factor authentication for your users. This means
the user will not only authenticate by user+password but also with
@@ -783,6 +787,9 @@
Webauthn/FIDO2
+ See the Webauthn/FIDO2
+ appendix for an overview about Webauthn/FIDO2 in LAM.
+
Users will be asked to register a device during login if no
device is setup.
diff --git a/lam/docs/manual-sources/chapter-selfService.xml b/lam/docs/manual-sources/chapter-selfService.xml
index eebead07..a3b72a40 100644
--- a/lam/docs/manual-sources/chapter-selfService.xml
+++ b/lam/docs/manual-sources/chapter-selfService.xml
@@ -304,7 +304,7 @@
-
+ 2-factor authenticationLAM supports 2-factor authentication for your users. This means
@@ -329,6 +329,11 @@
Duo
+
+
+ Webauthn/FIDO2
+ privacyIDEA
@@ -424,6 +429,30 @@
+ Webauthn/FIDO2
+
+ See the Webauthn/FIDO2
+ appendix for an overview about Webauthn/FIDO2 in LAM.
+
+ Users will be asked to register a device during login if no
+ device is setup.
+
+
+
+ Domain: Please enter the WebAuthn domain. This is the public
+ domain of the web server (e.g. "example.com"). Do not include
+ protocol or port. Browsers will reject authentication if the
+ domain does not match the web server domain.
+
+
+
+ Optional: By default LAM will enforce to use a 2FA device
+ and reject users that do not setup one. You can set this check to
+ optional. But if a user has setup a device then this will always
+ be required.
+
+
+
@@ -495,7 +524,8 @@
- Possible input fields
+ Possible input
+ fieldsThis is a list of input fields you may add to the self service
page.
@@ -985,6 +1015,19 @@
each time the Windows password is changed.
+
+
+
+
+
+ Webauthn
+
+ Webauthn devices
+
+ Allows the user to manage his webauthn/FIDO2 security
+ keys.
+
+
diff --git a/lam/docs/manual-sources/chapter-tools.xml b/lam/docs/manual-sources/chapter-tools.xml
index 436d8853..63ffcb1d 100644
--- a/lam/docs/manual-sources/chapter-tools.xml
+++ b/lam/docs/manual-sources/chapter-tools.xml
@@ -423,6 +423,9 @@
Webauthn devices
+ See the Webauthn/FIDO2 appendix
+ for an overview about Webauthn/FIDO2 in LAM.
+
Here you can manage your webauthn/FIDO2 devices.You can register additional security devices and remove old ones. If
diff --git a/lam/docs/manual-sources/images/webauthn.png b/lam/docs/manual-sources/images/webauthn.png
new file mode 100644
index 00000000..31072bb2
Binary files /dev/null and b/lam/docs/manual-sources/images/webauthn.png differ
diff --git a/lam/lib/tools/webauthn.inc b/lam/lib/tools/webauthn.inc
index eb97ec29..ab0317ae 100644
--- a/lam/lib/tools/webauthn.inc
+++ b/lam/lib/tools/webauthn.inc
@@ -43,7 +43,7 @@ class toolWebauthn implements \LAMTool {
* @return string name
*/
function getName() {
- return "Webauthn";
+ return _('Webauthn devices');
}
/**