U2F and Passwordless Authentication with same key Issue (NC 19)

[hockey6611]

Feature Request

Add logic to identify when passwordless authentication is enabled with same key as U2F. Add features around this logic:

• GUI alerts to user (minimum feature request)
• reports for administrator
• Option for administrator to block use of same key for passwordless and U2F (Should be default)

Summary

I noted in a test installation of Nextcloud 19 that I am able to set up passwordless authentication and U2F authentication with the same key. I think that this will technically allow bypass of MFA, and thus reduce security.

In my usecase, my nextcloud instance is not exposed to the internet directly, so I would like the option to use both passwordless and U2F as an MFA option (along with TOTP, etc.) However, this should not be the default. I would imagine this to be disabled by default and a checkbox for the administratior to allow the same key to be used for passwordless and U2F.

[ChristophWurst]

This is a tricky one, we'd need a way for the app to communicate with Nextcloud's passwordless auth and vice versa to exchange this information. But I'll think about it.

Thanks for the feedback :v:

[hockey6611]

Thank you for looking into it, and thank you for the work on this app. I am not sure on the hooks nextcloud core allows too see the u2f key used for passwordless, I can definitely see this being tricky. I am not developer, only a user of nextcloud. Would a new issue in the nextcloud core be necessary?

[ChristophWurst]

As I'm a developer of both system it's fine to have this ticket here :)