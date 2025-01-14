Version: 15.x

Second Factor: WebAuthn

Teleport supports WebAuthn as a second authentication factor. WebAuthn can be used for logging in to Teleport ( tsh login or the login page on the Web UI) and for logging in to individual SSH nodes or Kubernetes clusters ( tsh ssh and kubectl ).

WebAuthn support includes hardware devices, such as YubiKeys or SoloKeys as well as biometric authenticators like Touch ID and Windows Hello ( tsh and Web UI).

A running Teleport cluster version 15.4.30 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl admin tool and tsh client tool. On Teleport Enterprise, you must use the Enterprise version of tctl , which you can download from your Teleport account workspace. Otherwise, visit Installation for instructions on downloading tctl and tsh for Teleport Community Edition.

WebAuthn hardware device, such as YubiKey or SoloKey

A Web browser with WebAuthn support

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines. For example: teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

WebAuthn is disabled by default. To enable WebAuthn support, update your Teleport configuration as below:

Dynamic resources

Static Config Edit the cluster_auth_preference resource: tctl edit cap Update the cluster_auth_preference definition to include the following content: kind: cluster_auth_preference version: v2 metadata: name: cluster-auth-preference spec: type: local second_factor: "on" webauthn: rp_id: example.com attestation_allowed_cas: - "/path/to/allowed_ca.pem" - | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- attestation_denied_cas: - "/path/to/denied_ca.pem" - | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Save and exit the file. tctl will update the remote definition: cluster auth preference has been updated Edit the Auth Server's teleport.yaml file and restart all Auth Services: auth_service: authentication: type: local second_factor: on webauthn: rp_id: example.com attestation_allowed_cas: - "/path/to/allowed_ca.pem" - | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- attestation_denied_cas: - "/path/to/denied_ca.pem" - | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----

rp_id is the public domain of the Teleport Proxy Service, excluding protocol ( https:// ) and port number.

attestation_allowed_cas is an optional allow list of certificate authorities (as local file paths or inline PEM certificate strings) for device verification.

This field allows you to restrict which device models and vendors you trust. Devices outside of the list will be rejected during registration. By default all devices are allowed. If you must use attestation, consider using attestation_denied_cas to forbid troublesome devices instead.

attestation_denied_cas is an optional deny list of certificate authorities (as local file paths or inline PEM certificate strings) for device verification.

This field allows you to forbid specific device models and vendors, while allowing all others (provided they clear attestation_allowed_cas as well). Devices within this list will be rejected during registration. By default no devices are forbidden.

A user can register multiple WebAuthn devices using tsh :

tsh mfa add

tip tsh mfa picks the strongest known second factor you have for the "Tap any registered security key" step. This may be undesirable at times, so you may fallback to a weaker second factor, like OTP, using tsh mfa add --mfa-mode=otp . See the possible --mfa-mode values in the Teleport CLI Reference page.

Once a WebAuthn device is registered, the user will be prompted for it on login:

Teleport Community Edition

Teleport Enterprise

Teleport Enterprise Cloud tsh login --proxy=example.com tsh login --proxy=example.com tsh login --proxy=mytenant.teleport.sh

note WebAuthn for logging in to Teleport is only required for local users. SSO users should configure multi-factor authentication in their SSO provider.

WebAuthn has replaced U2F in Teleport from previous versions. If you haven't configured U2F before, no further action is necessary—any U2F devices are automatically supported.

If you have an existing U2F configuration, but haven't explicitly configured WebAuthn yet, Teleport will automatically derive your WebAuthn configuration from your existing U2F configuration.

You may write the WebAuthn configuration yourself, but keep the U2F app_id field. Doing so ensures that any already-registered U2F devices won't need to be re-registered.

For example, consider the U2F configuration below:

type: local second_factor: u2f u2f: app_id: https://example.com facets: - "https://example.com" - "https://example.com:443" device_attestation_cas: - "/path/to/u2f_attestation_ca.pem"

You can replace this configuration with its WebAuthn equivalent using a cluster_auth_preference similar to the following:

kind: cluster_auth_preference version: v2 metadata: name: cluster-auth-preference spec: type: local second_factor: "on" u2f: app_id: https://example.com webauthn: rp_id: example.com attestation_allowed_cas: - "/path/to/u2f_attestation_ca.pem"

On a self-hosted cluster, you can configure WebAuthn with a Teleport Auth Service configuration similar to the following: