Cant add mac touchid as mfa for tsh

[anfedoro]

why adding mfa tsh is asking to give --proxy ? I am just adding the mfa

% tsh mfa add
ERROR: No proxy address specified, missed --proxy flag?

In case I use proxy and my username in the cluster nothing works anyway
_~ % tsh mfa add --proxy=tele****.io --user=anv
Choose device type [WEBAUTHN, TOUCHID]: TOUCHID
Enter device name: t_id
Enter password for Teleport user anv:
ERROR: failed to authenticate using available MFA devices
Webauthn authentication failed
no security keys found_

I have tried both WEBAUTHN, TOUCHID.. with same result.
What the issue ?
with dial all is good.. passkey with web browser works with no issues.
% tsh touchid diag
Has compile support? true
Has signature? true
Has entitlements? true
Passed LAPolicy test? true
Passed Secure Enclave test? true
Touch ID enabled? true
please advise how to make it working

thanks

[benarent]

I would recommend following our guide https://goteleport.com/docs/access-controls/guides/passwordless/ , my gut says that since you added a passkey MFA, it's trying to use this MFA in the command line. I would suggest adding a hardware token such as a yubikey, or even an OTP. This will be used to first validate the token, then you can add touch ID. Also note, Touch ID registrations are isolated by application. A Touch ID registration for tsh is different from a registration made from Chrome or Safari. You may register the same Touch ID device from multiple applications to get passwordless access in all of them.

[anfedoro]

Well...I have strictly followed the doc you are poiting to..
I mentioned two main issues

1. in the doc they give an example as tsh mfa add, and this is doesnt work at all as in relaity tsh ask to add --proxy key... and --proxy require --user etc etc..
2. even in such case you recommendation sound weird and illogical... to avoid purchase and use yubikey I wish to use touchId which I have already..; but to activate it I need yubikey.. what !??

[webvictim]

Unfortunately Touch ID being separate between the browser and the command line is a MacOS security limitation, and there's nothing we can do about it.

Here's an explanation of a workaround: #32051 (comment)

Essentially to have Touch ID registered in both the browser and at the command line, you should be able to:

• set up your Teleport user and add Touch ID in the browser - don't register a passwordless user, make sure to use a password with Touch ID as MFA
• use Touch ID in the browser to add an OTP device (scan QR code with an app like Authy, Google Authenticator etc) - you can verify this operation with Touch ID in the browser
• log in at the command line with tsh login --proxy teleport.example.com --mfa-mode=otp
• type in the OTP code
• run tsh mfa add --type=WEBAUTHN --mfa-mode=otp to add a new Touch ID/WebAuthn device
• enter the OTP code again (wait up to 30 seconds to get a fresh code first)
• touch the Touch ID sensor to register the device

We know this is a pain, it's really unfortunate.

If your user is currently set up to be passwordless, you're better off adding a new user which is not passwordless and using that instead. Touch ID is just not a good fit for passwordless users that need access from tsh or Teleport Connect.

[webvictim]

With regard to tsh mfa add asking for --proxy, this probably indicates that you're not actually logged in at the time you try run the command.

• What does tsh status show?
• What's the output of tsh -d mfa add?

[anfedoro]

• • Otp method doesn work for me.. I dont see OTP option while adding mfa.. only hw key. I have tried to add iphone faceid, i did it.. but it doesnt help 😞.. curious that after successful adding of faceid I deleted touch id from mfa list and can't login now at all! in browser after passeprd enter I choose phone auth method Scan qr code with camera, tap signin, pass faceid.. but then browser say - wrong key. First time in my life I am in such shit. Tens other platforms I use every day and stuck with this one. 🤷🏻‍♂️ The only it creates is headache..not security 😞

[webvictim]

Your cluster will need to be set to second_factor: on for OTP to work - if it's set to second_factor: webauthn it won't work.

Look at the config in /etc/teleport.yaml, change it and restart Teleport if needed:

auth_service:
  authentication:
    second_factor: on

Then from the shell on your Teleport server, reset auth for your user:

sudo tctl users reset <username>

Load the URL in your browser and follow the instructions I wrote in my other comment.

[anfedoro]

Our admin say "we only allow webauthn for 2fa"...so far OTP is not allowed.
Means all other manipulations are senseless.. 😞 I can't use tsh at all

as for tsh status - of course it doesnt show anything as I never used tsh before. I go new account, activated it through web and have

Considering I have no yubikey, I can only use either iphone with faceid or macbook with touchid.. not OTP with Google Authenticator app.
With either of iphone or mackbook I can not activate and login in tsh.
The yubikey seem like the only option :(.. this is not a problem.. just an extra cost

Or the admin may open OTP temporary just to let me activate touchid.. Will it not breake something if she disable the OTP once I have touchid in tsh active?