webauthn

lam/docs/manual-sources/appendix-security.xml

@@ -445,4 +445,51 @@ semodule -i httpdlocal.pp</programlisting>
 </programlisting>
     </section>
   </section>
+
+  <section id="a_webauthn">
+    <title>Webauthn/FIDO2</title>
+
+    <para>LAM allows to secure logins via <ulink
+    url="https://en.wikipedia.org/wiki/WebAuthn">Webauthn/FIDO2</ulink>. This
+    means your users login with their LDAP password and an additional hardware
+    token (e.g. Yubico Security Key, Windows Hello and many more).</para>
+
+    <para>Webauthn/FIDO2 is a very strong 2-factor-authentication method as it
+    also checks the website domain. This prevents attacks via web
+    proxies.</para>
+
+    <para>To use this feature you need to activate the 2-factor authentication
+    in LAM.</para>
+
+    <para><emphasis role="bold">LAM admin interface</emphasis></para>
+
+    <para>Please activate Webauthn/FIDO2 in your <link
+    linkend="conf_serverprofile_2fa">LAM server profile</link>. Then users
+    will be asked to authenticate via Webauthn/FIDO2 on each login.</para>
+
+    <para>If no device is registered for a user then LAM will ask for this
+    during login. Afterwards, users can manage their devices with the <link
+    linkend="tool_webauthn">Webauthn tool</link>.</para>
+
+    <para><emphasis role="bold">LAM Self Service</emphasis></para>
+
+    <para>Please activate Webauthn/FIDO2 in your <link
+    linkend="selfservice_2fa">LAM self service profile</link>. Then users will
+    be asked to authenticate via Webauthn/FIDO2 on each login.</para>
+
+    <para>If no device is registered for a user then LAM will ask for this
+    during login. Afterwards, users can manage their devices with the <link
+    linkend="selfservice_fields">Webauthn field</link>.</para>
+
+    <para><emphasis role="bold">Global device management</emphasis></para>
+
+    <para>This is for cases where one of your users has no more access to his
+    device and cannot login anymore. In this case you can delete his device(s)
+    in the <link linkend="confmain_webauthn">LAM main
+    configuration</link>.</para>
+
+    <para>Note that devices can only be deleted. Registration of devices can
+    only be done by the user during login or on the management pages listed
+    above.</para>
+  </section>
 </appendix>

lam/docs/manual-sources/chapter-configuration.xml

@@ -259,8 +259,11 @@
       </screenshot>
     </section>
 
-    <section>
+    <section id="confmain_webauthn">
-      <title>Webauthn devices</title>
+      <title>Webauthn/FIDO2 devices</title>
+
+      <para>See the <link linkend="a_webauthn">Webauthn/FIDO2 appendix</link>
+      for an overview about Webauthn/FIDO2 in LAM.</para>
 
       <para>Here you can delete any webauthn device registrations. This
       section is only shown if at least one device is registered.</para>
@@ -655,7 +658,8 @@
           </mediaobject>
         </screenshot>
 
-        <para><emphasis role="bold">2-factor authentication</emphasis></para>
+        <para id="conf_serverprofile_2fa"><emphasis role="bold">2-factor
+        authentication</emphasis></para>
 
         <para>LAM supports 2-factor authentication for your users. This means
         the user will not only authenticate by user+password but also with
@@ -783,6 +787,9 @@
 
         <para><emphasis role="bold">Webauthn/FIDO2</emphasis></para>
 
+        <para>See the <link linkend="a_webauthn">Webauthn/FIDO2
+        appendix</link> for an overview about Webauthn/FIDO2 in LAM.</para>
+
         <para>Users will be asked to register a device during login if no
         device is setup.</para>
 

lam/docs/manual-sources/chapter-selfService.xml

@@ -304,7 +304,7 @@
 
       <para/>
 
-      <section>
+      <section id="selfservice_2fa">
         <title>2-factor authentication</title>
 
         <para>LAM supports 2-factor authentication for your users. This means
@@ -329,6 +329,11 @@
           <listitem>
             <para><ulink url="https://duo.com/">Duo</ulink></para>
           </listitem>
+
+          <listitem>
+            <para><ulink
+            url="https://en.wikipedia.org/wiki/WebAuthn">Webauthn/FIDO2</ulink></para>
+          </listitem>
         </itemizedlist>
 
         <para><emphasis role="bold">privacyIDEA</emphasis></para>
@@ -424,6 +429,30 @@
           </listitem>
         </itemizedlist>
 
+        <para><emphasis role="bold">Webauthn/FIDO2</emphasis></para>
+
+        <para>See the <link linkend="a_webauthn">Webauthn/FIDO2
+        appendix</link> for an overview about Webauthn/FIDO2 in LAM.</para>
+
+        <para>Users will be asked to register a device during login if no
+        device is setup.</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>Domain: Please enter the WebAuthn domain. This is the public
+            domain of the web server (e.g. "example.com"). Do not include
+            protocol or port. Browsers will reject authentication if the
+            domain does not match the web server domain.</para>
+          </listitem>
+
+          <listitem>
+            <para>Optional: By default LAM will enforce to use a 2FA device
+            and reject users that do not setup one. You can set this check to
+            optional. But if a user has setup a device then this will always
+            be required.</para>
+          </listitem>
+        </itemizedlist>
+
         <screenshot>
           <mediaobject>
             <imageobject>
@@ -495,7 +524,8 @@
         </mediaobject>
       </screenshot>
 
-      <para><emphasis role="bold">Possible input fields</emphasis></para>
+      <para id="selfservice_fields"><emphasis role="bold">Possible input
+      fields</emphasis></para>
 
       <para>This is a list of input fields you may add to the self service
       page.</para>
@@ -985,6 +1015,19 @@
               each time the Windows password is changed.</entry>
             </row>
 
+            <row>
+              <entry><inlinemediaobject>
+                  <imageobject>
+                    <imagedata fileref="images/webauthn.png"/>
+                  </imageobject>
+                </inlinemediaobject>Webauthn</entry>
+
+              <entry>Webauthn devices</entry>
+
+              <entry>Allows the user to manage his webauthn/FIDO2 security
+              keys.</entry>
+            </row>
+
             <row>
               <entry morerows="1"><inlinemediaobject>
                   <imageobject>

lam/docs/manual-sources/chapter-tools.xml

@@ -423,6 +423,9 @@
   <section>
     <title id="tool_webauthn">Webauthn devices</title>
 
+    <para>See the <link linkend="a_webauthn">Webauthn/FIDO2 appendix</link>
+    for an overview about Webauthn/FIDO2 in LAM.</para>
+
     <para>Here you can manage your webauthn/FIDO2 devices.</para>
 
     <para>You can register additional security devices and remove old ones. If

lam/lib/tools/webauthn.inc

@@ -43,7 +43,7 @@ class toolWebauthn implements \LAMTool {
 	 * @return string name
 	 */
 	 function getName() {
-	 	return "Webauthn";
+	 	return _('Webauthn devices');
 	 }
 
 	/**