WebAuthn login method for access

Lots of people use Cloudflare access tunnels for accessing stuff on their home network securely.

Currently the only easy/free option is to use the default ‘One-time PIN’ option which emails you a pin.

My request is to add WebAuthn as a login option so that instead of being emailed a PIN, we can use TouchID on macOS and FaceID on iOS as an example.

This would be miles more convenient and probably secure than waiting for a email.

The only way of doing this right now is to pay for a service such as PingOne, Okta, etc. I imagine there’s a way of self hosting this yourself with SAML. But I’ve never looked into it or have any idea how it works so I could be wrong.

My suggestion is to add WebAuthn as an option and then have a button that says ‘add device’ and clicking it would bring a pop up that says ‘Add this device or a different device?’

Clicking ‘This device’ would send a webauthn add request to the device you’re currently on such as your Mac.

The ‘Different device’ option would give you a QR code to scan on your phone (for example) that takes you to your access domain and then sends the add request to your device, allowing you to add your iPhone as faceID.