Support Simultaneous TOTP/U2F and multiple UF2 keys on local authentication

[gclawes]

Problem

Teleport local authentication currently only supports either TOTP or U2F separately. Additionally, only a single U2F token can be registered at once. This means broken/stolen U2F keys or wiped TOTP auth apps require an account reset to fix.

Solution

Support both TOTP and U2F at once on local connector, and allow mutliple U2F keys to be registered per account. This has been adopted as a standard practice for 2-factor auth on many popular apps/sites (for example, GitLab):

[gclawes]

It occurred to me that tsh login would have to be able to choose which authenticator (TOTP or U2F) to use. A couple of solutions come to mind:

1. tsh login prompts to either enter TOTP code or insert/press U2F key.

gclawes@localhost $ tsh login                                                                                                                                                                                                  
Enter password for Teleport user gclawes:
Please enter TOTP code or press the button on your U2F key: ******

You are now logged in

2. tsh login has a --2fa={totp,u2f} flag to select the authenticator. This doesn't seem very generic, as --2fa would be meaningless for non-local authenticators (GitHub, SAML, OIDC, etc)

3. Pass local authentication off to the browser. This would loose functionality in command-line-only environments.

[mpitt]

Looks similar to #969

[gclawes]

Is this something that will be addressed in future releases?

[awly]

We'll aim to get this fixed in 5.0 (in ~1-2 months from now).

[webvictim]

A personal +1 for this (on top of the 11 +1s from #969)

I have 4 YubiKeys now and only being able to register one with Teleport is a significant limitation.

[awly]

We'll aim to get this fixed in 5.0 (in ~1-2 months from now).

Well that was naive.
I'm starting to work on this now, but it'll be in the next Teleport release, around Feb 2021.

[gclawes]

I've noted this in some other recent issues I've filed (#3384), but I'll make it on-the-record here, in case it affects your planning of this feature. This issue is related to my personal use of Teleport Community Edition, not my employer's use of Teleport Enterprise.