Disable 2FA when Webauthn is being used. #21215
Comments
derritter88
added
0. Needs triage
|
Good point. Since webauthn replaces the classic authentication, we might indeed skip 2FA here. @rullzer ? |
That will need additional work. Like that should only be possible if the webauthn device has some 2fa. Like on your android phone it only works when you scan your fingerprint etc. |
On Win10 you can enable a passcode for Webauthn. |
|
Also if you use Webauthn it might be not essential to use a 2FA as you need a physical something - like a Yubikey or a smartphone. So there might not be the need to have a 2nd factor?! |
|
use yubicob5 nfc and okay, a webauth plugin requires to register the yubico key 2 times, in its menu in safety. the first servecse you want to use yubico 5 nfc in fido 2 mode after putting your credentials, the second registration is needed when you choose item log in with device then you just have to put username and pin + touch to access. if you hold webauthn plugins and u2f plugins then you from 2 choices after entering the username and password. |
|
@tigernero79 I'm having issues to understand your comment. If you are suggesting that the webauthn 2fa provider should pick up devices created for the password less login then report it to the 2fa provider. |
|
I am Italian and I apologize for the not perfect translation. I just wanted to say that webauthn v0.24 application works well, strangely it is not compatible with nextcloud 19 red warning. I wrote to user deritter88. I wanted to make him understand what application allows you to register a hardware token twice because you can use the token as 2fa or as a passwordless. obviously I prefer the second method. |
But this application can only be used as a 2nd factor - similar to the already existing U2F application. With the build-in Webauthn you can complete the "1st factor". |
|
yes of course complete the second factor without putting password but only pin and touch |
|
By the way: Is there a possibility to include the username to the Webauth request? |
|
I believe something like that is possible in theory. However I didn't look into it to much. Nor do I own a device to develop this with. |
|
I am not much into technical details but for example Microsoft uses Webauthn for login. You do not need to enter username/password/2FA at all. |
|
If this is implemented I suggest changing the WebAuthn device registration. A Yubikey (and likely others) supports both, logging in without PIN and with PIN. Currently Nextcloud does not mandate using one, thus browsers not supporting a PIN entry (or attackers with a stolen key enforcing this) can still log in without entering the PIN. This would effectively degrade the login to one factor. An example of a browser not supporting PIN entry is Firefox (on Linux). You might want to look at webauthn.io, where this can be tested. Under advanced settings there is the option for "User Verification", with the options "Discouraged", "Preferred" and "Required". I think the default when registering WebAuthn devices is "Preferred" (I don't know if Nextcloud specifies anything), thus WebAuthn login is possible without PIN, even if one is set for the device. As far as I know, it can be queried if the WebAuthn login was with or without user verification. If user verification was not possible (e.g. by using Firefox), 2FA can still be required. Update: I looked in the WebAuthn specification.
Update 2: Nextcloud currently sets "Discouraged" for authentication requests (this is usually ignored by Chrome and Edge), as set by #21880. |
|
@derritter88 The WebAuthn specification mentions a CredentialID. I guess this can be used map authenticators to users (and I guess this is what Microsoft uses). |
|
@Varbin To be honest I do not have any glue of the developed background stuff - I am just a server admin with a little programming knowledge. |
|
I have a very good understanding of using fido2 for SSH access, as well as using yubico 5 Nfc fido 2 token in using openpgp. for web credit 2 access the yubico has 25 slots available to store login credentials, which can currently be Outlook accounts, or ssh fido2 credentials, other uses of fido2 do not store anything in one of the 25 slots, when configured as nextcloud access fido2 and this is not clear to me. why trust2 like Outlook does it and others don't? I would like to clarify that from version 5.2.3 of yubico 5 series upwards it is possible to individually delete one of the 25 stored keys, with versions prior to 5.2.3 ai could only reset fido2 by deleting all the keys simultaneously and not individually. |
This comment has been minimized.
This comment has been minimized.
|
This is exactly something that I am looking for. Many thanks for the information! |
szaimen
removed
0. Needs triage
|
I don't know how, but Github make the difference between FIDO authentificator that can be used as passkeys (and then 2FA is not required) and FIDO authentificator that can only be used as security keys (for 2FA). For example, when I log on to Github with a passkeys stored in Bitwarden, I don't need to use my Yubikey. And I can't register my Yubikey as passkeys as "this device is reporting partial passkey support". I think it should be the same with Nextcloud. |
|
if you have already stored your yubico token as 2fa it will not be taken as a passkey. the passkey (fido2) allows access without a password because the private key can be stored in the token itself see yubikey (it can store up to 25) or it depends on the developer how they implement the passkey can be stored on their servers, the key stub private is stored by them this avoids saturating the 25 slots available on ybikey. but whether the passkey is memorized or not, it is used not to enter passwords but only pin+touch. the problem in nextcloud is that if you enable webauth fido2 passkey works but the fact remains that it does not disable traditional access by entering the username and password which defeats the purpose of enabling passkey |
Just bumping my comment from over a year ago, with respect to these recent comments. The heart of the problem is [still] that when WebAuthn is used for passwordless login the 'pin+touch' part isn't enforced, and some second factor is still required, otherwise you just need to steal the physical key to masquerade as the user. An additional problem is that it's possible to enable the same key as the 2FA step as well, circumventing security beyond the site admin's control. Simply giving an option to make that UV=Required part mandatory per NextCloud install seems a simple interim solution, given the time it's taking to resolve this fairly fundamental security issue (3 years +). |
Perhaps I misspoke. On Github I have the following configuration: login, password, Yubikey as double authentication, passkey in Bitwarden. This is possible because Github does not accept my Yubikey as passkeys (they only accept FIDO devices that implement authentication (fingerprint, password manager...)). |
|
I have correctly configured 2 of my yubico 5 and 5c NFC tokens as passkeys on github, it accepts them without any other software |
|
Sorry, I've realized my mistake, I'm using Firefox, which doesn't let me add a PIN to my Yubikey. So I can only use my Yubikey as a means of double authentication, not as a passkey. |
|
if you use google chrome by removing your yubikey like 2fa you can store them as passkeys instead |
|
In the end, it doesn't change my point, we should be able to do what Github does, i.e. only require dual authentication when a device without authentication has been used as the first authentication method (yubikey without PIN or fingerprint...). |
|
if you use passkey you have double authentication (fido2 pin and touch) if you use 2fa then you have to enter your username and password and then use the token |
The sum, two factor is correct, but not that way! @ggrzeczkowicz : |
Can confirm. This seems to have landed recently. It was not possible in the past 🚀 |
|
Given how Edge is basically a Chrome, and Firefox also supports PIN now, I vote that passkey login (resident or not on your FIDO key, although the term "passkey" has been twisted to mean resident keys) with mandatory user-verification (which can be requested by Nextcloud) should skip 2FA. Nextcloud doesn't create resident keys when registering a FIDO WebauthN key, which is a good default IMO, but the possibility would be nice. But that's another issue... |
|
Regarding user presence vs verification. Exactly Basically the touch is only basically a captcha in hardware to make sure malware can't try pins and either lock you out or use your stick to do stuff. |
I would suggest to request with the "recommended" option. Edit: And yes, resident key feature would be nice as well, although I wouldn't consider that one equally important. |
BTW: I don't want to disturb anyone's euphoria, but the source code of the NC main branch still says |
|
was that for registration where it asks? because technically CTAP2 in general requires a PIN, and chrome tries to fall back to U2F if PIN is set to discouraged to avoid the PIN |
Which might be fine for a personal setup, but unacceptable to an entity seeking to impose security. I still advocate UV=Required needs to be a simple configurable option for those that require it regardless of any perceived downsides. |
|
I heavily advocate UV=required as default. Sure, I'm all for that it can be overridable on an account/admin level, but the default should be UV=required. Using (UV=recommended) I believe is problematic as it either (since 2fa should not be skipped in the case of no UV):
My comment is all about defaults. |
What about devices not supporting UV? |
|
I would argue that they should be only used as second factor (via twofactor-webauthn), not as a primary sign in method in this workflow |
It's unavoidable that you need a WebAuthn compliant client to implement passwordless login. If you need to support other devices, then you also need to configure regular password login, with or without 2FA, at your discretion. It's the most common scenario e.g. GitHub, Office 365 etc. allow passwords with TOTP as well as FIDO2. The issue here is that it's still not possible for an admin to configure and/or mandate single factor login securely, whether or not they have or want the password alternative as a fallback. Passwordless login simply requires UV, I can't think of a single implementation that doesn't, or indeed has this kind of issue.
The workflow in this thread is about passwordless login via WebAuthn (FIDO2) without 2FA. But it needn't be a binary choice about coding one use case or another for all installs, simply having a configuration option to enforce UV would resolve this issue for those that need or want single factor login. The argument about what should be the default settings for those site admins who've not thought about it seems somewhat supplementary. We simply can't make the choice at all at the moment. |
|
The thing that is not clear to me in all of this, regardless of 2fa and totp, concerns Fido2, nextcloud already plans to associate webauth devices for password-free access in its latest versions, this is highlighted when for example with a yubico 5 nfc I I associate it in the passwordless authentication section.
The problem arises if I also install alternatives such as "two-facto TOTP Provider and two-factor WebAuth" applications for those who do not have fido2 devices or tokens but have 2fa tokens or want to use yubico as TOTP. in this case if I access nexcloud wanting to take advantage of webautn included in nextcloud after fido2 authentication I find myself having to choose again between totp and fido2 of the applications listed, which should not happen as I have already been authorized with nextcloud's webauth. I do not know if I was clear |
|
We also have a mixed environment here. Some users use TOTP as a 2nd factor and the others use Fido2 with a Yubiko stick. For the time being, I have solved this by creating two different groups. For the users with TOTP, 2nd factor is mandatory. Not for the Fido2 users. They should only log in via the "Log in with a device" link. SSo far for now... |
If there was any viable way to automate this approach, I would be fine with it. 🤷 Provided UV is enforced, of course... |
|
I am not sure why this is being discussed for 4 years. As soon as passphrases are used to login to a web site, 2FA is usually ignored and no 2FA challenge is presented. Nextcloud is one of the few web apps that ignores this standard login flow. 2FA only makes sense for logins via user and password. |
You mean passkeys, do you? 🤔 |
|
Yes, I do. |
and others
I have enabled Webauthn on the new Nextcloud version 19.
So far it's working perfect but I would like to enable the option if Webauthn is being used then no 2FA needs to be passed.
The current login process is username/password and 2FA
OR
username/webauthn and 2FA
The text was updated successfully, but these errors were encountered: