nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.34k stars 4.06k forks source link

Support WebAuthn without PIN entry #36530

Open n1ttens opened 1 year ago

n1ttens commented 1 year ago

Is your feature request related to a problem? Please describe.

There are currently two methods available by default to replace passwords for authentication: U2F and WebAuthn

When U2F is used, the user is asked to touch the authenticator to verify the user presence. When WebAuthn is used, the user has to both touch their authenticator and enter a PIN

According to the Fido2 specification the server can determine what methods the user has to provide to authenticate (e.g. only touch, only PIN or both)

Describe the solution you'd like

When registering a WebAuthn authenticator, the user should be able to select the method required to authenticate, e.g. allowing the use of an authenticator without entering a pin and instead only require user presence (touching the device)

Describe alternatives you've considered Since entering a pin in addition to touching the authenticator at every login is more inconvenient then plain password authentication, the logical alternative would be to stick with passwords.

Additional context The forced use of PIN verification during the WebAuthn process is an inconvenience that could drive users to stick with weak password authentication.

tigernero79 commented 1 year ago

For me it's not so much having to enter the pin (in my case 8 digits) and touch the token (in my case a yubico 5 NFC) but it will perform the second step u2f if this is still set.

The talk of deleting the token from the u2f settings would still log in to nextcloud with username and password only if you don't click the webauth login link, which would expose my account to brute force attempts. so even having set my token only webauth does not enforce such use, but there will always be username and password authentication if I want to enter which is what I want to avoid by setting webauth

MrRinkana commented 8 months ago

I disagree with disabling pin for a hardware key when used as primary login (not 2fa), at least not as default. The point of the pin is for it to not be too long or complicated (since it does not need to); much simpler than a password.

The pin only needs to not be obvious, such that it would be guessable in 7 tries (or w/e your hw key is set to) as the key will wipe itself if more wrong tries are made. This means it cannot be brute forced. The pin length also does not affect the strength of the cipher/key used for the actual login, and is only used to unlock the yubikey (or w/e) itself. If you have set a long pin that is inconvenient to input or you often forget, you are unnecessarily shooting yourself in the foot.

Sidenote: I actually don't need to input the pin currently (even though I would want to), see #41599


However a minor improvements for the login flow could be done even for nonresidental keys (the current):

Sometimes one enters the username before clicking on login with device - if login with device is clicked, not only should the username be kept, but the login started (pin/press prompt). This saves a click in that case. (Currently the username is transferred to the login with device page, but user has to click login again).


The best login flow is obtained if Nextcloud starts supporting residential keys (don't have to enter username), but that's another issue, see #41191.

Edit: Just to be clear, you cannot have residential keys without pin, its required by the spec/device.