ChristophWurst
commented
2 years ago There are no plans for such restrictions.
Open behines opened 2 years ago
ChristophWurst
commented
2 years ago There are no plans for such restrictions.
tushev
commented
11 months ago I would ask you to reconsider that.
With platform-bound passkeys becoming more and more popular, there are increasing chances that (especially not tech-savvy) users will succumb to OS prompts and register platform-bound passkeys instead of cross-platform ones.
Please let the instance administrators either make that choice themselves; or leave it up to users. As it's with 2FA now: they can enforce it; or leave up to users.
Question
Hi Christoph,
Thanks for the great U2F and WebAuthn Nextcloud apps. We have handed out Yubikeys to all of our employees and external partners and use them for second-factor Nextcloud authentication.
I was wondering if you had seen this issue, whether you have any advice:
https://help.nextcloud.com/t/nextcloud-allowing-login-with-windows-hello-bypassing-yubikey/131216
When we tried switching from U2F to WebAuthn (to support Chrome's deprecation of U2F), what we are finding is that on Windows under Chrome, users are able to log in using Windows Hello as the second factor, bypassing the Yubikey.
For now our workaround is to continue with U2F rather than WebAuthn, and we require users to use Firefox to authenticate.
Thanks, Brad
Summary
Windows users are able to bypass Yubikey second-factor authentication, using local Hello credentials.