Disable automatically when subsites is installed

[chillu]

Overview

When using subsites, the website and CMS are served under multiple domains. Unless specific redirects are implemented for Security/ and admin/, this allows users to login on multiple domains. WebAuthn is tied to a domain, but the login itself (and password) isn't. If a user follows the MFA registration flow on one domain, they won't be able to login on another domain.

This has been discussed in #58, which lead to a docs update. Since then, we have decided to install MFA by default on every CWP site in a disabled state (see silverstripe/silverstripe-mfa#359).

Subsites is installed on many sites by default (e.g. all CWP sites), so by adding MFA by default we'll have to deal gracefully with this incompatibility, beyond a docs warning buried in a module somewhere. I propose that we disable WebAuthn when subsites is installed, and allow devs to explicitly opt-in via a YAML config flag once they've thought through the implications. Using WebAuthn on a site with multiple domains is still possible, as long as you only use one domain for authenticated work such as CMS authoring. It's a case-by-case decision. The reality is that most sites don't run subsites, and can benefit from having MFA available to be activated by default.

[ScopeyNZ]

Is there some alternative that's reasonable where this module enforces a single domain for authorisation? We can do this regardless of subsites.

[brynwhyman]

This issue had an internal milestone marked for the upcoming March CMS release. Given that this release is likely to be a patch release (4.5.x), I'm removing the milestone from this issue and recording it against the subsequent release in June.