Server: Disable 2FA when Webauthn is being used.

cc @ChristophWurst

Good point. Since webauthn replaces the classic authentication, we might indeed skip 2FA here. @rullzer ?

Good point. Since webauthn replaces the classic authentication, we might indeed skip 2FA here. @rullzer ?

That will need additional work. Like that should only be possible if the webauthn device has some 2fa. Like on your android phone it only works when you scan your fingerprint etc.

Good point. Since webauthn replaces the classic authentication, we might indeed skip 2FA here. @rullzer ?

That will need additional work. Like that should only be possible if the webauthn device has some 2fa. Like on your android phone it only works when you scan your fingerprint etc.

On Win10 you can enable a passcode for Webauthn.
So you need to enter the passcode and touch the device before it logs you in.

Also if you use Webauthn it might be not essential to use a 2FA as you need a physical something - like a Yubikey or a smartphone.

So there might not be the need to have a 2nd factor?!

use yubicob5 nfc and okay, a webauth plugin requires to register the yubico key 2 times, in its menu in safety. the first servecse you want to use yubico 5 nfc in fido 2 mode after putting your credentials, the second registration is needed when you choose item log in with device then you just have to put username and pin + touch to access. if you hold webauthn plugins and u2f plugins then you from 2 choices after entering the username and password.

@tigernero79 I'm having issues to understand your comment. If you are suggesting that the webauthn 2fa provider should pick up devices created for the password less login then report it to the 2fa provider.

I am Italian and I apologize for the not perfect translation. I just wanted to say that webauthn v0.24 application works well, strangely it is not compatible with nextcloud 19 red warning. I wrote to user deritter88. I wanted to make him understand what application allows you to register a hardware token twice because you can use the token as 2fa or as a passwordless. obviously I prefer the second method.

I am Italian and I apologize for the not perfect translation. I just wanted to say that webauthn v0.24 application works well, strangely it is not compatible with nextcloud 19 red warning. I wrote to user deritter88. I wanted to make him understand what application allows you to register a hardware token twice because you can use the token as 2fa or as a passwordless. obviously I prefer the second method.

But this application can only be used as a 2nd factor - similar to the already existing U2F application.

With the build-in Webauthn you can complete the "1st factor".

yes of course complete the second factor without putting password but only pin and touch

By the way: Is there a possibility to include the username to the Webauth request?
So no username needs to be added.

I believe something like that is possible in theory. However I didn't look into it to much. Nor do I own a device to develop this with.

I am not much into technical details but for example Microsoft uses Webauthn for login. You do not need to enter username/password/2FA at all.

If this is implemented I suggest changing the WebAuthn device registration.

A Yubikey (and likely others) supports both, logging in without PIN and with PIN. Currently Nextcloud does not mandate using one, thus browsers not supporting a PIN entry (or attackers with a stolen key enforcing this) can still log in without entering the PIN. This would effectively degrade the login to one factor. An example of a browser not supporting PIN entry is Firefox (on Linux).

You might want to look at webauthn.io, where this can be tested. Under advanced settings there is the option for "User Verification", with the options "Discouraged", "Preferred" and "Required". I think the default when registering WebAuthn devices is "Preferred" (I don't know if Nextcloud specifies anything), thus WebAuthn login is possible without PIN, even if one is set for the device.

As far as I know, it can be queried if the WebAuthn login was with or without user verification. If user verification was not possible (e.g. by using Firefox), 2FA can still be required.

Update: I looked in the WebAuthn specification.

• On device registration there is options.authenticatorSelection.userVerification which can be set to "Discouraged", "Preferred" or "Required" (ref).
• On login there are multiple flags set in a login response. One is for indicating user verification (like PIN+Touch or Biometry). It is not transparent which form of verification is used. The relevant flag for user verification is UV (ref).

Update 2: Nextcloud currently sets "Discouraged" for authentication requests (this is usually ignored by Chrome and Edge), as set by #21880.

@derritter88 The WebAuthn specification mentions a CredentialID. I guess this can be used map authenticators to users (and I guess this is what Microsoft uses).

@Varbin To be honest I do not have any glue of the developed background stuff - I am just a server admin with a little programming knowledge.

I have a very good understanding of using fido2 for SSH access, as well as using yubico 5 Nfc fido 2 token in using openpgp. for web credit 2 access the yubico has 25 slots available to store login credentials, which can currently be Outlook accounts, or ssh fido2 credentials, other uses of fido2 do not store anything in one of the 25 slots, when configured as nextcloud access fido2 and this is not clear to me. why trust2 like Outlook does it and others don't? I would like to clarify that from version 5.2.3 of yubico 5 series upwards it is possible to individually delete one of the 25 stored keys, with versions prior to 5.2.3 ai could only reset fido2 by deleting all the keys simultaneously and not individually.

https://developers.yubico.com/WebAuthn/

Maybe this entry from the Nextcloud Forum fits in addition.

https://developers.yubico.com/WebAuthn/

This is exactly something that I am looking for. Many thanks for the information!