Document second_factors; Update test plan.

.github/ISSUE_TEMPLATE/webtestplan.md

@@ -123,10 +123,9 @@ All actions should require re-authn with a webauthn device.
 For each, test the invite, reset, and login flows
 
 - [ ] Verify that input fields validates
-- [ ] Verify with `second_factor` type to `off`
-- [ ] Verify with `second_factor` type to `otp`, requires otp
-- [ ] Verify with `second_factor` type to `webauthn`, requires hardware key
-- [ ] Verify with `second_factor` type to `on`, requires a MFA device
+- [ ] Verify with `second_factors` set to `["otp"]`, requires otp
+- [ ] Verify with `second_factors` set to `["webauthn"]`, requires hardware key
+- [ ] Verify with `second_factors` set to `["webauthn", "otp"]`, requires a MFA device
 - [ ] Verify that error message is shown if an invite/reset is expired/invalid
 - [ ] Verify that account is locked after several unsuccessful login attempts
 
@@ -807,16 +806,16 @@ Add the following to enable read access to trusted clusters
 - Auth methods
   - Verify that the app supports clusters using different auth settings
     (`auth_service.authentication` in the cluster config):
-    - [ ] `type: local`, `second_factor: "otp"`
+    - [ ] `type: local`, `second_factors: ["otp"]`
       - [ ] Test per-session MFA items listed later in the test plan.
-    - [ ] `type: local`, `second_factor: "webauthn"`,
+    - [ ] `type: local`, `second_factors: ["webauthn"]`,
       - [ ] Test per-session MFA items listed later in the test plan.
-    - [ ] `type: local`, `second_factor: "webauthn"`, log in passwordlessly with hardware key
-    - [ ] `type: local`, `second_factor: "webauthn"`, log in passwordlessly with touch ID
-    - [ ] `type: local`, `second_factor: "on"`, log in with OTP
+    - [ ] `type: local`, `second_factors: ["webauthn"]`, log in passwordlessly with hardware key
+    - [ ] `type: local`, `second_factors: ["webauthn"]`, log in passwordlessly with touch ID
+    - [ ] `type: local`, `second_factors: ["webauthn", "otp"]`, log in with OTP
       - [ ] Test per-session MFA items listed later in the test plan.
-    - [ ] `type: local`, `second_factor: "on"`, log in with hardware key
-    - [ ] `type: local`, `second_factor: "on"`, log in with passwordless auth
+    - [ ] `type: local`, `second_factors: ["webauthn", "otp"]`, log in with hardware key
+    - [ ] `type: local`, `second_factors: ["webauthn", "otp"]`, log in with passwordless auth
     - [ ] Verify that the passwordless credential picker works.
       - To make the picker show up, you need to add the same MFA device with passwordless
         capabilities to multiple users.

docs/pages/admin-guides/access-controls/device-trust/enforcing-device-trust.mdx

@@ -111,7 +111,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factor: "on"
+  second_factors: ["webauthn"]
   webauthn:
     rp_id: (=clusterDefaults.clusterName=)
   device_trust:

docs/pages/admin-guides/access-controls/guides/hardware-key-support.mdx

@@ -280,7 +280,7 @@ Yubikey for Hardware Key support, you might get an error on rare occasions.
 Depending on your settings, you might be asked to tap your Yubikey many times.
 Each tap is necessary to safely authenticate you.
 
-For example, if you have `second_factor: webauthn` set in your `cluster_auth_preference`,
+For example, if you have `second_factors: ["webauthn"]` set in your `cluster_auth_preference`,
 and `require_session_mfa: hardware_key_touch` set on your role,
 you'll see the following output when you first sign in:
 

docs/pages/admin-guides/access-controls/guides/headless.mdx

@@ -53,7 +53,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factor: "on"
+  second_factors: ["webauthn"]
   webauthn:
     rp_id: example.com
   connector_name: headless # headless by default
@@ -83,7 +83,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factor: "on"
+  second_factors: ["webauthn"]
   webauthn:
     rp_id: example.com
   headless: false # disable Headless WebAuthn

docs/pages/admin-guides/access-controls/guides/mfa-for-admin-actions.mdx

@@ -71,8 +71,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  # To make webauthn the only form of second factor allowed, set this field to 'webauthn'.
-  second_factor: "webauthn"
+  second_factors: ["webauthn"]
   webauthn:
     rp_id: example.com
 ```

docs/pages/admin-guides/access-controls/guides/passwordless.mdx

@@ -138,7 +138,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factor: "on"
+  second_factors: ["webauthn"]
   webauthn:
     rp_id: example.com
   connector_name: passwordless # passwordless by default
@@ -229,7 +229,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factor: "on"
+  second_factors: ["webauthn"]
   webauthn:
     rp_id: example.com
   passwordless: false # disable passwordless

docs/pages/admin-guides/access-controls/guides/per-session-mfa.mdx

@@ -43,7 +43,7 @@ per-session MFA with FIPS builds, provide the following in your `teleport.yaml`:
 teleport:
   auth_service:
     local_auth: false
-    second_factor: on
+    second_factors: ["webauthn"]
     webauthn:
       rp_id: teleport.example.com
 ```

docs/pages/admin-guides/access-controls/guides/webauthn.mdx

@@ -62,8 +62,8 @@ Teleport configuration as below:
     name: cluster-auth-preference
   spec:
     type: local
-    # To enable WebAuthn support, set this field to 'on', 'optional' or 'webauthn'
-    second_factor: "on"
+    # To enable WebAuthn support, include "webauthn" as a second factor method.
+    second_factors: ["webauthn"]
     webauthn:
       # Required, replace with proxy web address (example.com, example.teleport.sh).
       # rp_id is the public domain of the Teleport Proxy Service, *excluding* protocol
@@ -469,8 +469,7 @@ Update the `cluster_auth_preference` definition to include the following content
     name: cluster-auth-preference
   spec:
     type: local
-    # To make webauthn the only form of multi-factor allowed, set this field to 'webauthn'.
-    second_factor: "webauthn"
+    second_factors: ["webauthn"]
     webauthn:
       rp_id: example.com
   ```

docs/pages/admin-guides/infrastructure-as-code/infrastructure-as-code.mdx

@@ -174,6 +174,7 @@ static configuration file:
 |---|---|
 |`spec.type`|`auth_service.authentication.type`|
 |`spec.second_factor`|`auth_service.authentication.second_factor`|
+|`spec.second_factors`|`auth_service.authentication.second_factors`|
 |`spec.connector_name`|`auth_service.authentication.connector_name`
 |`spec.u2f`|`auth_service.authentication.u2f`|
 |`spec.disconnect_expired_cert`|`auth_service.disconnect_expired_cert`|

docs/pages/includes/config-reference/auth-service.yaml

@@ -156,11 +156,18 @@ auth_service:
         # Possible values: true, false, "hardware_key", "hardware_key_touch".
         # Defaults to false.
         require_session_mfa: false
+
+        # second_factors is the list of allowed second factors for the cluster.
+        # Possible values: "otp" and "webauthn".
+        # Defaults to ["otp"].
+        second_factors: ["otp"]
 
         # second_factor can be 'on', 'otp' or 'webauthn'.
         # - 'on' requires either otp or webauthn second factor.
         # - 'otp' and 'webauthn' require the corresponding second factor.
-        second_factor: otp
+        #
+        # Prefer setting second_factors instead.
+        #second_factor: otp
 
         # Sets whether passwordless authentication is allowed.
         # Passwordless requires WebAuthn.

docs/pages/reference/access-controls/authentication.mdx

@@ -47,7 +47,7 @@ Add the following to your Teleport configuration file, which is stored in
   auth_service:
     authentication:
       type: local
-      second_factor: on
+      second_factors: ["webauthn"]
       webauthn:
         rp_id: example.teleport.sh
   ```
@@ -68,7 +68,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factor: "on"
+  second_factors: ["webauthn"]
   webauthn:
     rp_id: example.teleport.sh
 version: v2
@@ -102,7 +102,7 @@ metadata:
   name: cluster-auth-preference
 spec:
   type: local
-  second_factor: "on"
+  second_factors: ["webauthn"]
   webauthn:
     rp_id: example.teleport.sh
 version: v2

docs/pages/reference/resources.mdx

@@ -247,10 +247,17 @@ Global cluster configuration options for authentication.
 metadata:
   name: cluster-auth-preference
 spec:
-  # Sets the type of second factor to use.
+  # Sets the list of allowed second factors for the cluster. 
+  # Possible values: "otp" and "webauthn".
+  # Defaults to ["otp"].
+  second_factors: ["webauthn", "otp"]
+
+  # second_factors is the list of allowed second factors for the cluster.
   # Possible values: "on", "otp" and "webauthn"
   # If "on" is set, all MFA protocols are supported.
-  second_factor: "otp"
+  #
+  # Prefer setting second_factors instead.
+  #second_factor: "webauthn"
 
   # The name of the OIDC or SAML connector. if this is not set, the first connector in the backend is used.
   connector_name: ""

docs/pages/reference/user-types.mdx

@@ -50,7 +50,7 @@ authentication method required by the upstream SSO provider. Teleport is not
 aware of the authentication method not the user credentials, it trusts the IdP
 response.
 
-If `teleport.auth_service.authentication.second_factor` is `webauthn`, Teleport
+If `teleport.auth_service.authentication.second_factors` is `["webauthn"]`, Teleport
 might ask for an additional MFA for administrative actions. This protects
 against IdP compromise.