[Feature Request] Improved WebAuthn support

[MichaelGrafnetter]

Hi, I really like that the project supports Passkeys / W3C Web Authentication as the second authentication factor. I would really appreciate if Passkeys could be used as the primary authentication factor as well, optionally replacing usernames+passwords entirely. I propose the following changes, possibly configurable:

• Switch the ResidentKeyRequirement from PREFERRED to REQUIRED to assure true MFA.
• Add the ResidentKeyRequirement.REQUIRED setting so that Passkeys can be used even without usernames.
• Add support for Windows Hello by removing the AuthenticatorAttachment.CROSS_PLATFORM requirement.
• Enable the AttestationConveyancePreference.DIRECT option so that the authenticator make and model can be displayed in the UI based on AAGUID and so that the Passkeys can be checked against the FIDO Alliance Metadata Service.

[aronmolnar]

Passkeys and your suggestions sound good.
We must make sure, however, that we don't break existing two-factor authentications (e.g., hardware tokens that don't support FIDO2/discoverable credentials) locking out users from existing installations.

Would you mind submitting a pull request?
(Our CLA, which must be signed for pull requests, is: https://cla-assistant.io/Syslifters/sysreptor)

[MichaelGrafnetter]

@aronmolnar Sure, backwards compatibility, UX, and security aspects need to be thought through. Changes in the DB model and UI might be required as well. As the end of the year is busy, I will try to come up with something in January.

I will also need to make sure that the code is fully compliant with the standardized WebAuthn validation checklist, to prevent tampering and replay attacks. I am not sure if all of these aspects are handled by the fido2 library itself. This is crucial if passwordless authentication is to be enabled in the future.