Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Webauthn nx 19 it logs in but then asks me for the second factor between totp and u2f or recovery code #22154

Closed
tigernero79 opened this issue Aug 8, 2020 · 7 comments
Closed

Webauthn nx 19 it logs in but then asks me for the second factor between totp and u2f or recovery code #22154

tigernero79 opened this issue Aug 8, 2020 · 7 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug

Comments

@tigernero79
Copy link

tigernero79 commented Aug 8, 2020
edited
Loading

@rullzer

I have correctly configured my yubico 5 Nfc in nextcloud 19 but I noticed that at login it turns on asking me for one of the 2 authentication factors between totp / u2f or recovery code. I ask myself: should I not enter directly with fido2 without being asked for totp or other factors? it would make more sense. otherwise what is fido2? or is there something I have to do?

in practice I log in with fido2 like this:

Screenshot_20200808-180206

and so:

Screenshot_20200808-180213

now instead of logging in it asks me totp or u2f why?

Screenshot_20200808-180225
@tigernero79 tigernero79 added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Aug 8, 2020
@rullzer
Copy link
Member

rullzer commented Aug 10, 2020

Yes this is expected. Right now in Nextcloud webauthn replaces your password. Not your second factor. This is still something we'd like to do. But not something that is there right now.

@tigernero79
Copy link
Author

tigernero79 commented Aug 10, 2020
edited
Loading

@rullzer
But in this way don't bypass the second factor and make more passes.

  1. Click on Sign with Device
  2. Enter User
  3. Click on Log in
  4. Use according to authentication factor (a senseless thing for me if I use Fido2)

while if I don't use Fido2 I do 3 steps.

It is assumed as in Outlook that trusts 2 can give you access without using other authentication. Also if I remove U2F and TOTP there is always backup code as a request.
How do I deactivate the recovery codes so Fido2 should not ask for anything else or am I wrong?

@tigernero79
Copy link
Author

maybe as Outlook webauthn / fido2 you can use fido2 PIN and touch Key to verify 2 factors or for NFC the Key is approached to the mobile and stop as I already do for Outlook mail both on desktop and mobile.

@tigernero79
Copy link
Author

#21215

@tigernero79
Copy link
Author

I have a very good understanding of using fido2 for SSH access, as well as using yubico 5 Nfc fido 2 token in using openpgp. for web credit 2 access the yubico has 25 slots available to store login credentials, which can currently be Outlook accounts, or ssh fido2 credentials, other uses of fido2 do not store anything in one of the 25 slots, when configured as nextcloud access fido2 and this is not clear to me. why trust2 like Outlook does it and others don't? I would like to clarify that from version 5.2.3 of yubico 5 series upwards it is possible to individually delete one of the 25 stored keys, with versions prior to 5.2.3 ai could only reset fido2 by deleting all the keys simultaneously and not individually.

@tigernero79
Copy link
Author

https://developers.yubico.com/WebAuthn/

@szaimen
Copy link
Contributor

szaimen commented Jun 9, 2021

Let's track this in #21215

@szaimen szaimen closed this as completed Jun 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rullzer @tigernero79 @szaimen