Webauthn doesn't prompt for pin entry on Ubuntu 20.04 Firefox

[pauldapps]

Action: When enrolling and using webauthn with a Yubikey security key or Yubikey 5 NFC, a pin should be required to use the FIDO2 interface for passwordless logins.

tl;dr: On ubuntu 20.04, firefox 78.0.2, Nextcloud 19.01, passwordless login is allowed using only "U2F." Other browsers and OSs work as expected which makes me think this is a bug.

The expected behavior I had was: Login > Key insertion > pin entry > FIDO2 auth > user authenticated. This is safe two factor authentication. Something I have, and something I know.

The behavior noted is: Login > Key insertion > just press the button > authenticated. This is only a single factor... and a weak one.

Upon examining my yubikey with the command line tools, there are no resident credentials saved on the key itself for nextcloud. Meaning, FIDO2 isn't being used as it should for passwordless auth (to my knowledge). It seems to be being used as U2F only.

Upon turning off the FIDO2 interface of my Yubikeys (something that should break FIDO2 logins) I was able to passwordless-auth into my account using only U2F. T

Upon turning off the U2F interface of my Yubikeys (something that should have zero effect on FIDO2) I was unable to passwordless-auth into my account. Thus proving the U2F interface, not the FIDO2 interface is being used for passwordless authentication in this scenario.

This is not the intended use case for the U2F authentication flow to my knowledge. Which results in a weak single-factor login.

Please roast me and tell me i'm wrong. This is the very first GitHub post i've ever made.

Edit: After disabling the FIDO2 module on the Yubikeys, I can "U2F" in to NextCloud without entering a pin for the key on all browsers and operating systems I have access to (Win 10 2004, Ubuntu 20.04, Chrome, FF, Edge).

Disabling the module is a non-privileged action for the key, so that makes it an incredibly simple way to bypass the security benefits of FIDO2 over password + U2F.

[DRRDietrich]

technical-details There should be an option in the settings to make the PIN required.

[nemhods]

If I read the source correctly, Nextcloud explicitly sets the verification option to AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED, which results in the WebAuthn system never asking for user verification through PIN or Fingerprint.

This should really be configurable through the admin UI, or at worst through config.php...

[nemhods]

This issue discussed here: https://hwsecurity.dev/2020/08/webauthn-pin-bypass/

Even when a PIN was asked for when registering, both Microsoft and Nextcloud didn't verify if the actual response sent to the webserver indicated a successful PIN entry.

At Microsoft, they declared it a security vulnerability and fixed it. At Nextcloud, they disabled PIN entry completely and defined it as intended behavior, therefore condemning security keys to being a single factor only for now.

(slight rant) I don't even think nextcloud warns you to add a second factor if you simply trade a password for a security key. This makes security key theft a real threat. It doesn't even have to be a traditional theft - a co-worker could simply grab my key from the desk, plug it in, quickly authenticate and put it back. That takes like 10 seconds. IMO this is a worse situation than passwords if you have any kind of password policy.

Honestly I don't like the MFA aspect of the WebAuthn spec at all. As a security conscious user, I want it to be my decision to additionally protect my credential with a PIN if the service doesn't already enforce this. This is on the spec and on the hardware implementors, as they could add this feature into the firmware. (Yubico already requires PIN entry for AppID enumeration, why not have an option to enforce this for every WebAuthn action?) As a service administrator I want to be able to force my users to use PINs, at least if they want to go passwordless. This is on the integrators who should support many more options related to WebAuthn verification. Attestation and User Verification at least.

[JoeDat]

Not that @pauldapps description needs additional proof that U2F is being used for passwordless auth in Nextcloud, but I was able to register a Yubikey 4 NEO as a WebAuthn token. This key doesn't even support FIDO2.

[megmug]

Something is really wrong here... Issue persists in Nextcloud 20.0.4, but if you have TOTP enabled, you still need to provide a TOTP code. Given that most users will have their TOTP on the hardware key too, this still can't really be considered a second factor, since probably, users using a hardware key will use the TOTP off that, which has no additional protection (at least on my key)

[My1]

As a service administrator I want to be able to force my users to use PINs, at least if they want to go passwordless

I think that's the entire point of the "Passwordless" feature that's being touted along with FIDO2 and why U2F was being sold as second factor, because that's the inherent point, passwordless means dropping passwords from the server, but not dropping the knowledge factor.

If I read the source correctly, Nextcloud explicitly sets the verification option to AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED, which results in the WebAuthn system never asking for user verification through PIN or Fingerprint.

This should really be configurable through the admin UI, or at worst through config.php...

imo on passwordless this should even be an option, set UV to required and CHECK IT ON THE SERVER.

[uli-heller]

I'm testing my HW token (a solokey) against https://webauthn.io. They do have the same issue:

• chrome: you have to enter the pin
• firefox: works OK without pin, you just have to push the button

I'm very frustrated with this. My assumption was that the token is a very secure way to log in. Now I have to realize that it is easy to bypass. I think it is pretty bad if every service has to do some special actions to prevent this from happening since you cannot see from the outside if this is done or not.

So: The trust is fainting, a lost token is potentially a desaster.

[ajeitler]

Same here. Was excited about security keys, but had to realize that for now they are only good as a second factor. Passwordless login without securing the key by a PIN is a no go for me. There is a false idea in the whole concept: Even entering the PIN on a device is a security risk in my view, because someone could read my keyboard strokes, and therefore gets my PIN. Pin verification should happen on the key itself, either by fingerprint oder an integrated keypad, even sensor that indicates finger movement would help to identify a sequence of finger gestures... The whole idea of a security key in my view is, that it's "security" is independent of the device on which it is used. My next step will be looking in solutions like biometric keys like the trustkey http://shop.wiznet.eu/trustkey.html. If this key allowes access only with the fingerprint, it could be a solution for me, otherwise i will deactvate passowrdless login and switch to classic two factor auth.

[My1]

just because the PIN can be read out via a keylogger doesnt make it immediately insecure, usually keyloggers and stuff comes from attackers far away without any chance of touching your device, which is kinda needed. on the other hand device stealing obviously generally comes from people closer to you, where the chance of getting a keylogger installed is lower.

Also, sorry to burst your bubble, while trustkeys have Biometric, they still use a PIN to manage them, also if you fail your Fingers you can not unlock unlock it again with your PIN but also more recently browsers just ask for the PIN (for example if your finger is dirty that's kinda helpful, I know a teacher who had a Laptop with FP but it rarely worked in school because chalk and stuff)

---

back to the actual topic of this issue tho, passwordless without PIN is the actual problem here and nextcloud hasnt been the first, nor will it be the last that has this issue.

I think if this gets fixed and the server starts forcing the PIN that would actually help Passwordless as the only way to bypass the PIN on the device would be stealing the device, and then sidechanneling it or using any other method of reading things out where you likely have to break open the device literally meaning if you keep an eye on your keys every now and then, you can just deactivate them if you lose them. An "I'll take the device for 5 minutes and bring it back" attack wont work here. also while passwords do have the property of being verified by the server the problem is that making good passwords is hard and remembering them even harder and a password manager does not make it too much better.

[ajeitler]

I agree, that the possibility of someone installing a keylogger is quite low.. but exists, and therefor IS a vulnerability. But this was only a sidenote. I am also quite aware of the pros and cons of biometric authentication, therefore i will have to play arround with such solutions.

But coming back to the nextcloud situation. I activated both: webauthn and second factor in my nextcloud account. Even with the same seckey. Result is: without password or PIN i am able to log in to the account by just pressing my finger twice on my security key. First, the key is used for passwordless login, and later the SAME Key functions as second factor. This should not be possible, at least not within the same Login. Yes I know, it is may choice as a user, but you know, most users don't have any cloud about security and just do.

And another question, since i did not find it anywhere: Is there an option to deactivate password-login for an account at all - with deleting the password from the server?

[My1]

But coming back to the nextcloud situation. I activated both: webauthn and second factor in my nextcloud account. Even with the same seckey. Result is: without password or PIN i am able to log in to the account by just pressing my finger twice on my security key. First, the key is used for passwordless login, and later the SAME Key functions as second factor. This should not be possible, at least not within the same Login. Yes I know, it is may choice as a user, but you know, most users don't have any cloud about security and just do.

yup this is dumb and there are issues for that.

In fact passwordless shouldnt even ask for a second factor since it (provided it's implemented properly) by itself is both factors already.

And another question, since i did not find it anywhere: Is there an option to deactivate password-login for an account at all - with deleting the password from the server?

good question I havent seen anything for that

but exists, and therefor IS a vulnerability

sure and people cutting off or just using your finger while you are not really conscious (e.g. sleeping) also exists and IS a vulnerability, with the latter one literally having been done by kids already.

[jlfranklin]

A second side-effect of logging in with the Yubikey password-less is the user's encryption key cannot be loaded. The warning "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files." is shown to the user and some(!) files are no longer readable. Logging in with a password doesn't show that warning and allows full access to all files.

[My1]

Makes kinda sense as there needs to be something static to en/decrypt that key. Hmac-secret maybe?

[szaimen]

So there is nothing that we can fix on the Nextcloud side, IIRC. Please continue this discussion in the forum. Thanks! https://help.nextcloud.com

[My1]

what you definitely can do at the very least @szaimen would be if not already done would be to enforce UV for single factor login., also maybe ask for an encryption password if encryption is active