2FA just accepts same passkey twice

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can.

The Basics

• Nextcloud Server version (e.g., 29.x.x):
  • 30.0.2
• Operating system and version (e.g., Ubuntu 24.04):
  • Ubuntu 24.04
• Web server and version (e.g, Apache 2.4.25):
  • replace me
• Reverse proxy and version _(e.g. nginx 1.27.2)
  • replace me
• PHP version (e.g, 8.3):
  • replace me
• Is this the first time you’ve seen this error? (Yes / No):
  • replace me
• When did this problem seem to first start?
  • replace me
• Installation method (e.g. AIO, NCP, Bare Metal/Archive, etc.)
  • AIO 10.0.0
• Are you using Cloudflare, mod_security, or similar? (Yes / No)
  • replace me

Summary of the issue you are facing:

[…]

Steps to replicate it (hint: details matter!):

1. Use 2FA and Webauthn phone has passkey
2. Login and choose login with device
3. After passkey was entered on phone, nextcloud asks for 2nd factor and … accepts passkey from phone again.

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

PASTE HERE

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

PASTE

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

PASTE HERE

Apps

The output of occ app:list (if possible).

Tips for increasing the likelihood of a response

• Use the preformatted text formatting option in the editor for all log entries and configuration output.
• If screenshots are useful, feel free to include them.
  • If possible, also include key error output in text form so it can be searched for.
• Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.

Sure you are talking about Passkeys?

You being funny?
My fingerprint on my phone is a passkey registered in my google account for my nextcloud account.
That’s as valid a U2F passkey as Your Yubikey??? or whatsoever
would be. (less secure, admittedly)
What do You think a passkey would be?

And nc authentication accepts

1. my fingerprint after I chose login with a device and
2. thereafter it tells me that 2FA is on, but accepts the same passkey as a second factor.

But presenting one thingy twice does not make it two, does it? That’s still 1FA.

No.

A passkey is no 2FA. It should be a replacement for a password AND 2FA e. g. sms code.

A fingerprint is not a passkey. It just unlocks your phone and passkey can be read from Secure Enclave of your device.

heise has some really good articles about passkeys as Amazon, eBay or others offering right now.

Screenshot_20241210-2219031080×2400 260 KB

So we tell Google thei’re wrong?

Right, I used sloppy language.

My fingerprint is technically not a passkey, that’s a private key it has for this account. But my fingerprint unlocks its application to the public key key presented by the server.

No, please re-read the text. You unlock your device to enable your device using stored passkeys. It could be the fingerprint or pattern to unlock.

That’s what I wrote.

And should I reread nextcloud docs on 2FA as well?

So a passkey on my phone - use of which I can authorize with my fingerprint - can be a part of my 2 factor authentication

And my original complaint prevails: If You configure WebAuthn and 2FA, nextcloud doesn’t ensure that there are two different proofs of identity.

Hmm, not sure if that would even be possible.

I mean, the built-in passwordless login feature and the 2FA WebAuthn app are two separate apps, so that alone probably prevents them from knowing if the other one is using the same passkey provider or not, if there’s any way for the apps to distinguish between passkey providers in the first place, which I also doubt there is.

So I’d say that if you absolutely want to add 2FA with another passkey, even though passkeys are supposed to be a replacement for passwords and 2FA, I’d say it’s up to you to make sure that “two different proofs of your identity” are used, like for example, a passkey provided by the Google password manager for passwordless login and a hardware key for 2FA.

I see that it cannot work with 2 different apps.
It’s not that I absolutely want 2FA together with a passkey, it is NC docs cited above and the NC security settings page that imply this possibility - and a short recherche could show You more opinions, where passkeys are not viewed as mutually exclusive to MFA.

Nextcloud security settings should offer either passwordless authentication or 2FA - including security keys.
Backup codes should be offered independently, because they are a replacement of other authentication methods, not an additional factor.

Screenshot_20241211-0847201080×2400 289 KB

I’d say no, because why restrict users to add it if they absolutely want to.

However, I think it should be possible to disable authentication with username/password when passwordless login is enabled, in which case it would also make sense to offer backup codes for the passwordless login.

then what does the word passwordless mean???

Having both on is not liberal, but confusing in my not so humble opinion.

There are two primary methods to log in to Nextcloud:

Passwordless Login:

This method uses WebAuthn, FIDO2, or Passkeys. These terms essentially refer to the same technology but with slight differences in context or branding.

WebAuthn/FIDO2 has been around for a few years, providing login options mainly through hardware tokens (e.g., YubiKeys) or biometric devices. Passkeys, expand this capability by enabling software-based password managers or device synchronization (e.g., iCloud Keychain or Google Password Manager) to act as your “hardware token.”

Traditional Login:

The traditional username and password combination.

This method remains still active when you enable Passwordless Login, and therfore ensures that if you lose access to your passkey or hardware token, you can still log in using your credentials.

2FA

2FA is an additional thing, and can be set up regardless of the login method (passwordless or traditional username/password).

Supported 2FA methods in Nextcloud include:

• TOTP (e.g., Google Authenticator or Authy),
• Email-based codes,
• SMS-based codes,
• WebAuthn/FIDO2/Passkeys (reused as a second authentication factor).
• and probably many more

Once 2FA is enabled, having backup codes is crucial, as there is no ‘password reset’ function with 2FA. If you lose access to your passkey, TOTP secret or any other 2FA method, you won’t be able to log in unless you have multiple 2FA methods enabled as a fallback, just as the traditional login option can be used as a fallback if you lose the passkey for passwordless login.

Of course, the overall security of your system is only as strong as the weakest login or 2FA method you’ve enabled.

For example, if you enable passwordless login, but still allow username and password without strong 2FA, the traditional method could still become a vulnerability, so I think it should be possible to disable traditional login when using passwordless login, which would then allow you to disable 2FA for that account as well.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.