How to require WebAuthn

behines · May 6, 2021, 9:44pm

Hi, I have Nextcloud up and running and have configured a Fido2 key for WebAuthn access.

Now I’d like to require the use of the key for login.

I tried Settings/Security/Two-Factor Authentication/Enforce 2-factor authentication.

But that doesn’t work. You are still presented with a Username/password screen for login. That’s not the end of the world - you can still click “Log in with a device”.

But when you do that - plug in the device and touch it, fine - But then you get a dialog “Two-factor authentication is enforced, but has not been configured for your account.”

Now we are well and truly locked out. Fortunately I still was logged in in another window and could revert the setting.

So I guess “two-factor authentication” and “WebAuthn” are two different things.

It appears that “Enforce 2-factor authentication” is not the answer.
How can I require the user to “Log in with a device”?

Thanks,
Brad

anon71540698 · May 7, 2021, 12:05am

Yes, that is by design…
2FA essentially means two different passwords:

first, the old username/password combo; after successfully logged in
second, plug in your FIDO2 key…

As long as the FIDO2 key is registered with your account, it will work…

behines · May 7, 2021, 12:58am

Hi Henry, thanks for your reply.

I understand what you are saying, but what you describe is not how it is working for me. To be clear, I am not using the “2FA” plugin, I am using the “Passwordless authentication” feature. That is, as you can see, I’ve added a WebAuthn device using “Screen 1” at the bottom of this message.

[Sorry for not posting the screenshots inline. Once again, the site is restricting me as a new user to only posting a single embedded image, so I had to cram my four screens into one giant image.]

[See SCREEN 1]

Then as seen on “SCREEN 2” below, from the main screen, a user can simply click “Log in with device”.

[See SCREEN 2]

After you click Log in with a device you see “SCREEN 3”

[See SCREEN 3]

Then after you type your username and “Log in”, you see SCREEN 4

[See SCREEN 4]

And then you touch the key and you’re in.

This is all desired behavior. This is passwordless authentication. It was my understanding that this as per design.

I simply want to bypass the first screen and go straight to the second. I don’t want anyone to be able to log in using passwords, only keys.

I have subsequently found a couple of indications that people are aware of this problem and it is in the queue to be fixed, but I haven’t seen any more than that: https://help.nextcloud.com/t/passwordless-questiosn/113448

Does anyone know any more than that? Right now my only workaround is to simply create impossibly long random passwords for each user and then never tell anyone what they are, and require users to simply skip the unwanted first screen.

Thanks,
Brad

anon71540698 · May 7, 2021, 1:35am

I don’t think this is possible.
You can enforce 2FA, i.e. Username/Password+Key, but I don’t think you can enforce passwordless…

In other words, key will be a must (aka no username/password only login) but not in the passwordless form…

wwe · May 7, 2021, 7:32am

at the moment passwordless authentication in Nextcloud does not mean your Webauthn device replace the password and the second factor at same time. It just replaces the password - and 2nd factor requirement remains untouched. It is possible to register your Webauthn device as 2nd factor additionally - during the login process the user has to confirm the login twice… in my eyes this is not the idea behind Webauthn but it is how it works now… For this reason I don’t use Webauthn for the initial login but only as 2nd factor - which is more user friendly then TOTP (authenticator) apps…

Kerasit · May 7, 2021, 8:47am

What you are describing is more or less a federated single sign on.

In order to skip authentication, you needs to provide another trusted source that tells you who you are. In a federated world that is called an IDP. It works because in some link of your chain of your experience, you do an authentication:

Logging onto your machine (now the machine trusts you and knows who you are).
Logging onto an authentication service (for example microsoft, google, Facebook, twitter, LinkedIn, whatever supporting OAuth or OpenID).
Logging onto Nextcloud

Any of the above can work with a federations service like OneLogin or Okta, and hence can give you the SSO as the choosen service can be configured as a trusted IDP in Nextcloud. However the login experience will have to happen elsewhere. A link that ensures you are authenticated in whatever service that supports device based login like a fiddo key or mobile device and federation through OpenID, SAML or OAuth.

behines · May 9, 2021, 5:40am

Sigh. Everybody seems to want to tell me what I want. One person says “that’s not real two-factor”, another says another trusted source is needed. But that’s not what I want.

I am happy to let anyone log in who

· Has a key

· Knows the username that goes with that key (hey, a second factor!)

· Knows the hostname to connect to (hint, it’s not “nextcloud.mydomain.com”) (hey, a third factor!)

· Knows which port I am providing the service on (hint, it’s not 443) (hey, a fourth factor!)

What I want is to let in anyone who has a key and also knows those other three secrets. That is plenty good enough for me. (We’re not in an office setting here, it’s not like I’m trying to prevent the person in the next cubicle from sneaking in to my office and viewing everybody’s salary.)

Another way to put it is this. Out of the box, Nextcloud allows BOTH types of logins

· You can log in with a username/password

· You can log in passwordless with a WebAuthn device.

I simply want to make my system more secure by disallowing the first of these.

Kerasit · May 9, 2021, 6:40am

I DO understand what you want. But NC is developed to follow standards fully, not half hearted. For that reason you cannot get NC to do what you want without what we advices.

Sendt fra ProtonMail-mobil

-------- Originalbesked --------
Til 9. maj 2021 07.50, Braden Hines via Nextcloud community < noreply@nextcloud.com> skrev:

bb77 · May 9, 2021, 6:45am

…and I want pizza!

It’s not possible with Nextcloud at the moment, as @wwe already said.

Kerasit · May 9, 2021, 6:50am

To ho deeper in that:

Security best ptactices you needs to authenticate. That requires who you are and what you know (minimum). Then you can add something you have (2fa).

To remove the first you needs something else that fullfills that, and you can only get that through federation, where the IDP provides the username/userid.
This CAN be accomplished IF using WebAuthN with the Nextcloud client and utilising that already established sessions and login to provide those informations. However if you are loggedin with the client already, then extra security checks are useless and makes no sense.

Sendt fra ProtonMail-mobil

-------- Originalbesked --------
Til 9. maj 2021 07.50, Braden Hines via Nextcloud community < noreply@nextcloud.com> skrev:

behines · May 9, 2021, 7:41am

But I’m not wanting to remove the first. I still require the username.

My use case is this.

I’m herding cats on three continents. I want the security of a hardware key, but I need to lower the barrier to entry or people will just declare it too hard.

I understand the theory of best practices and what is and isn’t 2fa.

But I’m constrained by the real world. If nobody without a key can get into my system, that’s way better security for me than usernames and passwords.

2fa using WebAuthn also requires a pin. It’s just too much to ask of the people involved, and we just don’t need that.

I do have 2fa. I have 4fa:

If you find that key on the street, you can’t get into my system.

Even if the person has written his username on it you can’t get into my system.

Even if you know the company the person works for and his username, you can’t get into my system.

This is good enough for many many people in the world, whether computer science agrees or not. Telling users that they are wrong isn’t the best way to market your product.

But most of all, Nextcloud already allows people to log in with just a key, right out of the box! So this isn’t my idea!

Nextcloud allows admins to turn off the “Log in with device” option, and fully endorses logging in with just a username and password. That’s not 2fa either.

So why is it that when I want to do something that’s actually more secure than username and password, that I’m told it’s too insecure and I can’t have it because it’s not completely secure?

For now, my workaround is just to change everyone’s password to something impossibly long that no one knows but me. This effectively disables the username/password login option, leaving only the login with device option that is already built into Nextcloud.

Seems like there should be a better way to do that.

behines · May 9, 2021, 7:43am

I should have spoken more clearly.

Of course people can’t log in with just a key. They have to have a username and a key.

So it’s username and key instead of username and password.

bb77 · May 9, 2021, 7:50am

Exactley and this is only partially more secure than a username and a secure password. In both cases no second factor is involved.

behines · May 9, 2021, 9:33am

So why is the less secure method allowed to be set up as the sole way of logging on, but not the more secure method?

bb77 · May 9, 2021, 10:08am

I used the wrong word. I should say: “it is only in certain situations more secure”, mainly in the event of a remote attack. But against remote attacks, there are other measures you can take, like limit the number of login attempts with the Bruteforce Protection App or install Fail2ban on your server. With your method, however, if the threat actor somhow gets his hands on your Webauth device, it is even less secure than a password, because the attacker then only has to guess your username.

bb77 · May 9, 2021, 11:19am

In addition to my previous post:

Whether Webauth is more secure than a username / password combination depends also on whether Webauth (FIDO2) is used in single- or in multi-factor mode:

A FIDO2 authenticator may be used in either single-factor mode or multi-factor mode. In single-factor mode, the authenticator is activated by a test of user presence, which usually consists of a simple button push. In multi-factor mode, the authenticator (something you have) performs user verification. Depending on the authenticator capabilities, this can be:[11]

something you know: a secret such as a PIN, passcode or swipe pattern
something you are: a biometric such as fingerprint, iris or voice

https://en.wikipedia.org/wiki/WebAuthn#Background

But to come back to your original question or to the question why the password authentication cannot be switched off when Webauth is active. I’m not an expert and unfortunately I don’t know whether it has simply not yet been implemented or if there are technical reasons why it has not been implemented. Maybe you can check out GitHub to see if there are any issues regarding this topic, and if not, maybe open a feature request …

wwe · May 9, 2021, 8:14pm

there are lot different viewpoints in this discussion. the idea behind Webauthn is definitely to get rid of passwords… translating into the use case the user

visit the resource (Nextcloud website)
enter the username
connect Webauthn device and press the button

this is implemented in Nextcloud - but doesn’t considered “two factor” in terms of Nextcloud implementation. There are ways to address the issue. If you are happy with the security of one single Webauthn device - just use it (just set your user password to some abnormal complex value and only use your Webauthn device without 2FA enforcement). Otherwise use simple password you can remember and use your Webauthn device as real 2nd factor - definitely your username and password don’t provide good protection - but the 2nd factor by Webauthn device (and additionally another TOTP/authenticator) is really secure - don’t worry and be happy…

anon71540698 · May 10, 2021, 1:51am

Relax the password policy and make the password the same as username…
You still won’t bypass the first screen, but the user does not need anything but a username (to be entered twice) and the key…

Set this up as 2FA and remove the login with device line…

behines · May 10, 2021, 2:27am

Hi Henry,

That’s a really interesting suggestion, thanks.

When I tried it, the 2FA version seemed to require that there be a PIN on the key and requires the user to enter the PIN. So it’s username/username/key/PIN.

(I am actually requiring anyone with admin rights to set up 2FA with a PIN, but wasn’t going to require that of non-admins.)

I’m guessing there’s no way to not require a PIN in this scenario?

Thanks,

Brad

bb77 · May 10, 2021, 5:12am

This is really NOT a good idea. If for any reason something goes wrong and 2FA gets disabled, anybody will be able to login just by guessing the username. As the name suggests, 2FA should not be used as a substitute for the first factor, but only as supplement.

And why do we still have to discuss, whether one should use secure passwords in 2021? If any form of password authentication is active, a strong password is mandatory, no matter whether 2FA is active or not. If you absolutely want to use single-factor Webauth to make it easy for yourself and your users, please use it the way @wwe recomended. You should never use a second factor, as a replacement for a strong primary factor.

The best and most secure way of course would be real two-factor Webauth and passwords completley disabled, but unfortunately that’s not (yet?) possible with Nextcloud…