There will be a few methods supported:
Password login won't be supported to begin with unless there is a strong demand for it.
Email login will send a “magic link” to your registered email address. When clicked this will log you in to the original page you were on, not the page opened when clicking the link. This will allow you to login on your phone while clicking the email on your desktop for example. This could also work on the Hackspace portal if desired.
In order to avoid mis-clicking a “magic link” triggered by a potential attacker, both the email and login page should display a code so the member can check they are clicking the correct link.
This will be implemented by a service running only within the Hackspace network, similar to the old membership server. This service will forward that authentication to the SSO server.
When navigating directly to the portal, the authentication flow will always start at a page asking for your email or the option to use passkeys. If using passkeys then that's the end. If email authentication is successful then we will check if the member has TOTP configured and enforce that too if so.
Logins using a keyfob in the Hackspace will be redirected from the keyfob server to the portal with a short-lived login code. This code will represent a keyfob login that was generated through a back-channel between the keyfob and portal servers.