nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.49k stars 4.08k forks source link

Disable 2FA when Webauthn is being used. #21215

Open derritter88 opened 4 years ago

derritter88 commented 4 years ago

I have enabled Webauthn on the new Nextcloud version 19. So far it's working perfect but I would like to enable the option if Webauthn is being used then no 2FA needs to be passed.

The current login process is username/password and 2FA OR username/webauthn and 2FA

kesselb commented 4 years ago

cc @ChristophWurst

ChristophWurst commented 4 years ago

Good point. Since webauthn replaces the classic authentication, we might indeed skip 2FA here. @rullzer ?

rullzer commented 4 years ago

Good point. Since webauthn replaces the classic authentication, we might indeed skip 2FA here. @rullzer ?

That will need additional work. Like that should only be possible if the webauthn device has some 2fa. Like on your android phone it only works when you scan your fingerprint etc.

derritter88 commented 4 years ago

Good point. Since webauthn replaces the classic authentication, we might indeed skip 2FA here. @rullzer ?

That will need additional work. Like that should only be possible if the webauthn device has some 2fa. Like on your android phone it only works when you scan your fingerprint etc.

On Win10 you can enable a passcode for Webauthn. So you need to enter the passcode and touch the device before it logs you in.

derritter88 commented 4 years ago

Also if you use Webauthn it might be not essential to use a 2FA as you need a physical something - like a Yubikey or a smartphone.

So there might not be the need to have a 2nd factor?!

tigernero79 commented 4 years ago

use yubicob5 nfc and okay, a webauth plugin requires to register the yubico key 2 times, in its menu in safety. the first servecse you want to use yubico 5 nfc in fido 2 mode after putting your credentials, the second registration is needed when you choose item log in with device then you just have to put username and pin + touch to access. if you hold webauthn plugins and u2f plugins then you from 2 choices after entering the username and password.

kesselb commented 4 years ago

@tigernero79 I'm having issues to understand your comment. If you are suggesting that the webauthn 2fa provider should pick up devices created for the password less login then report it to the 2fa provider.

tigernero79 commented 4 years ago

I am Italian and I apologize for the not perfect translation. I just wanted to say that webauthn v0.24 application works well, strangely it is not compatible with nextcloud 19 red warning. I wrote to user deritter88. I wanted to make him understand what application allows you to register a hardware token twice because you can use the token as 2fa or as a passwordless. obviously I prefer the second method.

derritter88 commented 4 years ago

I am Italian and I apologize for the not perfect translation. I just wanted to say that webauthn v0.24 application works well, strangely it is not compatible with nextcloud 19 red warning. I wrote to user deritter88. I wanted to make him understand what application allows you to register a hardware token twice because you can use the token as 2fa or as a passwordless. obviously I prefer the second method.

But this application can only be used as a 2nd factor - similar to the already existing U2F application.

With the build-in Webauthn you can complete the "1st factor".

tigernero79 commented 4 years ago

yes of course complete the second factor without putting password but only pin and touch

derritter88 commented 4 years ago

By the way: Is there a possibility to include the username to the Webauth request? So no username needs to be added.

rullzer commented 4 years ago

I believe something like that is possible in theory. However I didn't look into it to much. Nor do I own a device to develop this with.

derritter88 commented 4 years ago

I am not much into technical details but for example Microsoft uses Webauthn for login. You do not need to enter username/password/2FA at all.

Varbin commented 4 years ago

If this is implemented I suggest changing the WebAuthn device registration.

A Yubikey (and likely others) supports both, logging in without PIN and with PIN. Currently Nextcloud does not mandate using one, thus browsers not supporting a PIN entry (or attackers with a stolen key enforcing this) can still log in without entering the PIN. This would effectively degrade the login to one factor. An example of a browser not supporting PIN entry is Firefox (on Linux).

You might want to look at webauthn.io, where this can be tested. Under advanced settings there is the option for "User Verification", with the options "Discouraged", "Preferred" and "Required". I think the default when registering WebAuthn devices is "Preferred" (I don't know if Nextcloud specifies anything), thus WebAuthn login is possible without PIN, even if one is set for the device.

As far as I know, it can be queried if the WebAuthn login was with or without user verification. If user verification was not possible (e.g. by using Firefox), 2FA can still be required.

Update: I looked in the WebAuthn specification.

Update 2: Nextcloud currently sets "Discouraged" for authentication requests (this is usually ignored by Chrome and Edge), as set by #21880.

Varbin commented 4 years ago

@derritter88 The WebAuthn specification mentions a CredentialID. I guess this can be used map authenticators to users (and I guess this is what Microsoft uses).

derritter88 commented 4 years ago

@Varbin To be honest I do not have any glue of the developed background stuff - I am just a server admin with a little programming knowledge.

tigernero79 commented 4 years ago

I have a very good understanding of using fido2 for SSH access, as well as using yubico 5 Nfc fido 2 token in using openpgp. for web credit 2 access the yubico has 25 slots available to store login credentials, which can currently be Outlook accounts, or ssh fido2 credentials, other uses of fido2 do not store anything in one of the 25 slots, when configured as nextcloud access fido2 and this is not clear to me. why trust2 like Outlook does it and others don't? I would like to clarify that from version 5.2.3 of yubico 5 series upwards it is possible to individually delete one of the 25 stored keys, with versions prior to 5.2.3 ai could only reset fido2 by deleting all the keys simultaneously and not individually.

tigernero79 commented 4 years ago

https://developers.yubico.com/WebAuthn/

osm-frasch commented 4 years ago

Maybe this entry from the Nextcloud Forum fits in addition.

derritter88 commented 4 years ago

https://developers.yubico.com/WebAuthn/

This is exactly something that I am looking for. Many thanks for the information!

kowalski7cc commented 3 years ago

I think login flow should be like something like this: Screenshot-20210712105948-991x856

derritter88 commented 3 years ago

Yes, this is exactly what I am looking for.

My1 commented 3 years ago

totally agree on this, would be awesome.

skorokithakis commented 3 years ago

I haven't read the entire chain, but I'd like to point out that WebAuthn Passwordless is meant to replace 2FA, since you already authenticate with a device (the "something you have") and a PIN (the "something you know"). Requiring U2F on top of WebAuthn (which will probably use the exact same device) is redundant, since an attacker who both stole the device and the PIN can just tap it again, so the additional step will prevent nothing.

MrAxle commented 3 years ago

One separate issue (discussed in #22982 and #22025, and probably elsewhere also) is the fact that that WebAuthn devices are not currently setup to require a PIN to login, so WebAuthn is currently (unless someone fixed this recently) only 1 factor, not 2 (something you have). Which makes this issue 2 things: Disable 2FA (TOTP or U2F) when using WebAuthn (as it's just a second "something you have"), and require WebAuthn devices to require PIN entry.

That being the case requiring TOTP when WebAuthn is used is not the most crazy of ideas, as most people probably use their phone (with a PIN or biometric lock) to access their TOTP code generator. U2F, however, would be the same device so there clearly is still an issue here, probably one that needs the "Security" tag.

CarlSchwan commented 3 years ago

@nextcloud/security What is your opinion on this?

ChristophWurst commented 3 years ago

It makes sense, like the previous comment summarized it. As long as WebAuthn doesn't require a PIN you need to perform 2FA. Only when we know that WebAuthn itself is already a valid 2FA then we can skip the 2FA in Nextcloud.

skorokithakis commented 3 years ago

@ChristophWurst how does that help? With your proposal, the flow will be:

  1. Enter your username, tap the device.
  2. Authenticate the second factor, tap the same device again a second time.

How does that help security? The only thing I can see that doing is inconveniencing the user, making them tap the same device twice. If someone steals it, a second tap isn't going to deter them.

ChristophWurst commented 3 years ago

See https://github.com/nextcloud/server/issues/21215#issuecomment-890593868 if my wording was misleading.

kowalski7cc commented 3 years ago

The point should be fixing the current WebAuthn implementation, not adding workarounds to avoid 2FA misuse by users.

My1 commented 3 years ago

this has been open for over a year tho? is the solution to checking a PIN that hard to do in nextcloud? I personally have only done a sandbox/playground-style implementation of WebAuthn stuff but had no issues forcing UV even outside the bounds of the library: https://github.com/nextcloud/server/issues/22982#issuecomment-739787301 basically you just need to check the UV bit in addition to the checks already there, and obviously set "required" on the parameters of the js function

My1 commented 3 years ago

I think login flow should be like something like this: Screenshot-20210712105948-991x856

honestly I'd even be in favor of swapping 2FA and password so password tryout rules could be much more lenient without sacrificing security as you could say there's a reasonable assumption that the person is likely to be the one rather than one who just entered a username.

also do challenge really should have a way to get back to selection

kowalski7cc commented 3 years ago

@My1 That would lead to some side-channel issues, like user enumeration (not everyone has 2FA or multiple/all factors). With the different 2FA/password request screens and different load times it would allow you to:

You could show every challenge to every user, but that wouldn't be a very nice UX/UI, and maybe still vulnerable.

If you don't want to enter your password, there should be FIDO2 passwordless.

My1 commented 3 years ago

If you don't want to enter your password, there should be FIDO2 passwordless.

well that thing has been basically broken for over a year.

My1 commented 2 years ago

we are in 2022 now, any updates here?

ideally this should only need 3 changes:

1) use "required" for UV request 2) verify the UV bit in server -> https://github.com/nextcloud/server/issues/22982#issuecomment-739787301 3) skip 2FA when passwordless is used.

nursoda commented 2 years ago

Once the login flow is modified, I suggest that the 2FA flow itself is modified, too: What really disturbs me is the need to SELECT CHALLENGE. One shouldn't have to. Either use the method used last time or let the user set a DEFAULT METHOD. Offer that right away and allow the user to CHANGE the method if she/he cannot use the default method for THIS particular login. That is what I see in GitHub, WordPress, etc. It eliminates one click for all users that do have more than one method set up (which is a good idea). Personally, I have a FIDO2 in my Laptop. But when I need to access a NC from another device, I use TOTP.

Is THIS the right place for that proposal or should it be a separate issue? I'm happy to create one and link it here…

To further streamline the login flow, there should be an option to log out without losing 2FA device trust, like Amazon does. They seem to have two tokens: One for the user login credentials (username/password) and one for the second factor (TOTP in that case). One may log out (e.g. to make sure no other family member uses it) without the need to re-enter the 2nd factor upon re-login. That is a strong use case I think, but surely wrong here. But it would be interesting to have the login flow source code above, to be able to modify it.

My1 commented 2 years ago

@nursoda I think the this all is better as seperate issues. (also maybe a way to switch challenges without needing to login again or play URL tricks.)

nursoda commented 2 years ago

I think the this all is better as seperate issues.

Sure. In nextcloud/server?

@kowalski7cc Could you please provide me with the source file of your flow chart?

S0ulf3re commented 2 years ago

So, will there be the ability to turn off the password field at login entirely and just enter a username and then u2f?

My1 commented 2 years ago

So, will there be the ability to turn off the password field at login entirely and just enter a username and then u2f?

that's what the button "sign in with device" is for. also if working as intended U2F would NOT work with that as there's no User Verification (PIN/Finger/whatever) so FIDO2 or platform would be needed.

but yeah axing the normal user/password prompt entirely would be great.

tatramaco commented 2 years ago

With Webauthn going 'mainstream' with Apple, Microsoft & Google deploying it in passwordless mode this year there is renewed interest in 'going passwordless'. I have organisations sticking with Google Workspace as NextCloud does not have a valid, functioning FIDO2/Webauthn implementation. This has been an open issue for 2 years now. What can we do to help improve the prioritisation of this ?

My1 commented 2 years ago

With Webauthn going 'mainstream' with Apple, Microsoft & Google deploying it in passwordless mode this year there is renewed interest in 'going passwordless'. I have organisations sticking with Google Workspace as NextCloud does not have a valid, functioning FIDO2/Webauthn implementation. This has been an open issue for 2 years now. What can we do to help improve the prioritisation of this ?

google iirc is plain password+U2F 2FA too, not passwordless webauthn

tatramaco commented 2 years ago

Check the news. Multiple articles about all 3 firms going passwordless this year......

for example https://krebsonsecurity.com/2022/05/your-phone-may-soon-replace-many-of-your-passwords/

My1 commented 2 years ago

I have heard about them wanting to, but do they have it working yet

tatramaco commented 2 years ago

That was the big deal with the announcement - The tech giants said the new passwordless capabilities will be enabled across Apple, Google and Microsoft platforms “over the course of the coming year.” You can already do it on M$ for consumer and AzureAD hybrid. The rest should be in the pipeline for this year. Hence we are seeing renewed interest in the area. Being able to use a NIST AAL-3 authenticator along with changes in cyber insurance and the major players introducing it on their platforms is pushing this more mainstream.

With this in mind how do we get this some dev love in NextCloud ?

My1 commented 2 years ago

I would love to see some dev love even without this in mind. but one of the bigger issues with NC Passwordless is external storage with user credential forwarding as that does get very weird very fast (at least last time a colleague tried)

gymnae commented 2 years ago

Please add this, it would be great to have

ChristophWurst commented 2 years ago

I'm experimenting with PINs for passwordless auth in Nextcloud as part of https://github.com/nextcloud/server/pull/34389 and see that the info from https://github.com/nextcloud/server/issues/21215#issuecomment-678773516 is still up to date. My FF on Linux doesn't do PIN. That means if we required a PIN it would potentially make passwordless login impossible for FF users. Both new as well as existing users of the feature.

So, I'm thinking of going just with recommended. At successful login we can check the UV bit and if a PIN was used (Chrome) we skip 2FA, if it wasn't (FF) we go through the current flow.

My1 commented 2 years ago

well passwordless login kinda by definition goes through with 2 seperate factors. firefox not asking for PIN is a firefox problem and obviously should be reported there, but using what amounts to U2F plus second factor means there's 2 something you have things and not 2 distinct factors like for example something you know and something you have

ChristophWurst commented 2 years ago

well passwordless login kinda by definition goes through with 2 seperate factors.

Could you share a link to that definition?

firefox not asking for PIN is a firefox problem and obviously should be reported there

https://bugzilla.mozilla.org/show_bug.cgi?id=1530373