Add User Verification (pin support) for CTAP2 enabled devices

[s-f-s]

It would be great to have support for "User Verification" with FIDO2 (CTAP2 enabled device) using a PIN.

https://www.w3.org/TR/webauthn/#user-verification

[My1]

does the nextcloud let you enter the 2FA module without a password tho?
because that's kinda the purpose of the UV, to ax the password requirement.

[kowalski7cc]

I think in this case authenticatorSelection.userVerification should be discouraged because this is already a second factor after password entry.
The verification required should be used in the Nextcloud passwordless login (nextcloud/server#21215), which at the moment is broken because it won't check for user verification and instead will bring you to a 2fa that could be the same used for the passwordless login (nextcloud/server#22982)

[My1]

I think in this case authenticatorSelection.userVerification should be discouraged because this is already a second factor after password entry.
The verification required should be used in the Nextcloud passwordless login (nextcloud/server#21215), which at the moment is broken because it won't check for user verification and instead will bring you to a 2fa that could be the same used for the passwordless login (nextcloud/server#22982)

couldnt agree more.
preferred just kinda sux in general and is a kinda bad default.

I have written a bit about this already somewhere.
https://blog.my1.dev/webauthns-userverificationpreferred-and-its-pitfalls
I dont really wanna advertise anything but it's just easier than writing it all top to bottom into a comment.

[kowalski7cc]

@michib I have a commit here that discourages browsers to ask for user verification: https://github.com/kowalski7cc/nextcloud_twofactor_webauthn/commit/09c7c619107634646b06ab2c3d65776f1cbaa0fe
I'm testing it on my NC instance (It seems to work ok with Yubikey).
If you want I can open a PR.

[michib]

@kowalski7cc i would highly appreciate it. Thanks in advance