Document U2F limitations with multiple URLs
Summary
- Yubico U2F keys generate key handles (a unique token used to identify a given U2F key) based on an
AppID
provided by the server - The
AppID
we provide isrequest.base_url
- If a user accesses GitLab from different URLs, the U2F registrations will be mutually exclusive, and cannot be interchanged.
- This needs to be documented, to avoid issues like #27854 (closed)
Example
- For example, let's say a GitLab instance is accessible from
url.one
andurl.two
- A user logs in through
url.one
, sets up 2FA, and registers their U2F device - The user then logs in through
url.two
, and tries to login with the U2F device - This does not work, since the original registration is tied to the
url.one
AppID
, and will not work for any other URL