Magic link continuation auth #165
Description
Feature Request: Enhanced Magic Link Continuation with Additional Authentication
Summary
Currently, the magic link continuation flow allows users to complete authentication simply by clicking the magic link. This proposal requests an additional security layer where users must provide additional authentication (password or WebAuthn) after clicking the magic link before completing the authentication flow.
Problem Statement
The current implementation of magic link continuation provides convenience but may not meet security requirements for certain use cases where:
- Organizations require multi-factor authentication for sensitive operations
- Additional verification is needed to prevent unauthorized access even if magic link is intercepted
- Compliance requirements mandate multiple authentication factors
Current Behavior
- User receives magic link via email
- User clicks magic link
- Authentication is completed immediately without additional verification
Desired Behavior
- User receives magic link via email
- User clicks magic link
- User is redirected to an authentication challenge page
- User must provide one of the following:
- Password authentication
- WebAuthn authentication (FIDO2/U2F)
- Other configured authentication methods
- Authentication completes only after successful additional verification
Proposed Solution
Configuration Options
Add configurable authentication requirements for magic link continuation:
{
"requireAdditionalAuth": true,
"allowedAuthMethods": ["password", "webauthn", "totp"],
"defaultAuthMethod": "password"
}