<security · open>
Pinned 2FA on UTHM CourseReg access (WebAuthn)
issuer · @syamir.fskm
Add WebAuthn (passkey) as the second factor for UTHM CourseReg access (mock target for the bounty). Users should be able to register a passkey on first claim and use it on subsequent claims. Fall back to TOTP for users on older devices.
<rubric>
- WebAuthn registration flow ships behind a feature flag
- Existing TOTP flow continues to work
- Rate limiting and lockout policies in place
- Documented threat model in the repo
<how claims are judged>
A security review by the UTHM Forge Security circle. We pay if the PR ships, the rubric holds, and the threat model is reasonable.
<submission format>
curl -X POST https://api.uthm-forge.dev/bounties/5/claim \
-H "Authorization: Bearer $UTHM_TOKEN" \
-d '{"repo":"github.com/you/passkey-coursereg","pr":9}'