Summary
Sensitive account actions (TOTP setup, passkey registration, email/username change, passkey deletion) should require identity re-confirmation before proceeding. The current implementation (#347) adds password confirmation for password users, but does not cover passkey-only or federated users.
Proposed approach
GitHub-style "Confirm access" modal with support for multiple authentication methods:
Backend
POST /account/api/reauth — accepts current_password, returns HMAC-signed short-lived re-auth token (~5 min)POST /account/api/reauth/passkey/begin — returns WebAuthn assertion challenge for the authenticated userPOST /account/api/reauth/passkey/finish — verifies WebAuthn assertion, returns same re-auth token- Sensitive endpoints accept
reauth_token instead of current_password
- Re-auth token is HMAC-signed (
user_id + timestamp + expiry), no DB storage needed — same pattern as authzsig
Frontend (account UI)
ConfirmAccessModal component — title: "Confirm access", button: "Verify"- Shows password input if user has a password
- Shows "Use passkey" button if user has registered passkeys
- Both methods return the same re-auth token to the calling action
- Profile/settings endpoint exposes
has_password and passkey count
User coverage
| User type |
Re-auth method |
| Password users |
Enter password |
| Passkey-only users |
Tap passkey |
| Federated users (no known password) |
Register a passkey first, or set a password via account UI |
| Users with both |
Choose either method |
Future: RFC 9470 step-up authentication
For third-party clients (not the first-party account UI), the spec-compliant approach is:
- Add
acr claim to tokens (authentication method: password, password+totp, passkey)
- Add
auth_time claim to tokens
- Support
max_age and acr_values on the authorize endpoint
- Resource servers can challenge with
401 insufficient_user_authentication
This is a separate, larger feature and should be its own issue.
Related
Summary
Sensitive account actions (TOTP setup, passkey registration, email/username change, passkey deletion) should require identity re-confirmation before proceeding. The current implementation (#347) adds password confirmation for password users, but does not cover passkey-only or federated users.
Proposed approach
GitHub-style "Confirm access" modal with support for multiple authentication methods:
Backend
POST /account/api/reauth— acceptscurrent_password, returns HMAC-signed short-lived re-auth token (~5 min)POST /account/api/reauth/passkey/begin— returns WebAuthn assertion challenge for the authenticated userPOST /account/api/reauth/passkey/finish— verifies WebAuthn assertion, returns same re-auth tokenreauth_tokeninstead ofcurrent_passworduser_id + timestamp + expiry), no DB storage needed — same pattern asauthzsigFrontend (account UI)
ConfirmAccessModalcomponent — title: "Confirm access", button: "Verify"has_passwordand passkey countUser coverage
Future: RFC 9470 step-up authentication
For third-party clients (not the first-party account UI), the spec-compliant approach is:
acrclaim to tokens (authentication method:password,password+totp,passkey)auth_timeclaim to tokensmax_ageandacr_valueson the authorize endpoint401 insufficient_user_authenticationThis is a separate, larger feature and should be its own issue.
Related