Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prefer UserVerification = ask for device PIN #271

Closed
jans23 opened this issue Oct 2, 2022 · 1 comment
Closed

prefer UserVerification = ask for device PIN #271

jans23 opened this issue Oct 2, 2022 · 1 comment

Comments

@jans23
Copy link

jans23 commented Oct 2, 2022

In Nextcloud, logins via WebAuthn are single-factor authentications and not two-factor authentications. In #41 and #69 UserVerification was set to DISCOURAGED with the reasoning that the WebAuthn authentication is used after a login authentication. However, this reasoning is wrong because when enabling and configuring WebAuthn it is used instead of a password login and not after a password login. The best practice, also recommended by WebAuthn, is to set UserVerification to Preferred and it should be applied here too. Hence, I suggest to revert #69 .
@jans23
Copy link
Author

jans23 commented Oct 2, 2022

I just noticed that I should have created this issue to the server and not the twofactor_webauthn module.

@jans23 jans23 closed this as completed Oct 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jans23