New MFA Option: Passkeys

[mjiori]

This PR is a draft. There are known issues and tests may not pass.

This PR adds a new two-factor authentication option to Registry - the “Passkey” option. This option allows for users to enroll a device, such as the laptop they use to access Registry, with a “Passkey” for authentication. This is in addition to current password authentication, not replacing it. The Passkey implementation is based on the WebAuthN library and FIDO2 standards. More information on the architecture can be found in the feature specification.

New additions include:
* A new route used to begin the passkey registration.

• A new route used to finish the passkey registration.
• A new route used to begin logging in with a passkey.
• A new route used to finish logging in with a passkey.

All routes are accessible by APTrust sysadmins, Institutional Admins, and Institutional Users - any type of user may enroll themselves in the passkey option.

Constants have been added including a formal name for this two-factor option (“Passkey”) and a short name for this option to identify it if selected by the user.

A database migration is necessary because we need to store a user session and credential for each user who enrolls in this option.

By visiting the “My Account” page and selecting the “Set up Two-Factor Auth” button, users can view the Passkey option as selectable alongside the other current options - Authy, which is being phased out, and SMS, alongside the option to turn off 2FA entirely. If the user selects the option to use Passkeys and clicks on Submit, the user will be taken to the Passkey enrollment page where further instructions are provided. Provided that the user is using a modern, compatible device and browser, a prompt will pop up with built-in UI to walk the user through the enrollment process.

A new external library has been introduced:

• webauthn, to provide us with the Passkeys API

Documentation has been added describing this new option in notes.md.

The pgmodel for users has been updated to add the new session and credential fields, as well as a method to detect if the user has opted in for the Passkey method.

The passkey prompt has been added to the multi-factor authentication page.

Testing:

• Ensure existing user may select the Passkey option.
• Ensure the Passkey prompt pops up (Testing was completed on a Macbook running the latest version of Chrome. Older Chrome versions and devices running anything other than modern versions of Mac/Windows may not work correctly. The API needs to be compatible with the device, OS and browser for this to work. If the user does not have a compliant device, they will not be able to utilize this option.)
• Ensure the passkey can be successfully set up on a compliant device.
• Ensure the MFA method actually changes when changed.
• Ensure Authy registration is not required when the passkey option is enabled.
• Ensure user can verify with a passkey when logging in to Registry.
• Ensure that MFA can be disabled and that prompts for the passkey no longer appear if the passkey option is disabled by the user.

Documentation has been added to the User Guide in a separate PR.

[diamondap]

Should lines 40-54 in views/users/passkey_finish_registration.html be commented out? Or are they necessary for this to work?

[diamondap]

Should lines 30-59 in views/users/passkey_register.html be commented out? If they're redundant, you should remove them.

[diamondap]

Migration 014 adds encrypted_passkey_session, which also appears in db/fixtures/users.csv. One of your other PRs also adds encrypted_otp_password_secret (or something similar) in a migration and in this users.csv file. Watch for merge conflicts there.

[diamondap]

There are still some references to Authy, e.g. in forms/two_factor_setup_form.go. Just wanted to make sure you're aware. It's probably fine to keep Authy references on the back end, but maybe we don't want users to see them.