NC26 and webauthn / passkey with Android - possible or not?


is the webauthn authentication with NC26 (v26.0.7) together with an Android v11 mobile phone possible?
I tried to add my device - but no success.
I open the Internet browser (Firefox or Chrome - same behavior in both) at my android device, log in (normal user / password), go to personal information/security click on “add WebAuthn device”.
Then a dialog opens saying “choose device” and shows me three options: NFC-key, USB-key and “this device”
But when I click at “this device” nothing happens - it stays at that dialog without any reaction.
NC logging also shows nothing…

Am I doing something wrong or is it not possible?

I thought android would support passkey authentication since v9 and NC since v17?


As far as I know:

NC 27 and before supports Webauthn (FIDO2 non-resident / non-discoverable Keys). That is, the nextcloud Server saves a secret the Security Device (like a Yubikey) provides. The Yubikey itself does not save anything about the Website. The Website always needs at least the Username and Security Device for Login.

Nextcloud currently doesn’t support what Google made known as Passkey (FIDO2 resident / discoverable Keys). Here the Security Device saves a user-specific Secret from the Server, which it presents when you try to login. In this case you only need the Security Device to Login.

It’s more complicated than that but that’s my relatively short explanation. It would be great if Nextcloud supports Passkeys natively in NC 28 or 29 but I’ve yet to see something like that announced.

That is why under Personal Settings > Security > Authentication without Password it says “Add Webauthn-Device” and not “Add Passkey”. Maybe the “this Device” Option in the Android Security Key Auth-Feature only allows Passkey and not Webauthn.

Also using the current “Authentication without Password” via Webauthn doesn’t allow you to disable normal Login via Password. Because of this it would be unwise to disable your 2FA Options. However now you can either Login with Username + Password + 2FA (TOTP / Notification / Webauthn) or Username + Webauthn + 2FA (TOTP / Notification / Webauthn). It does eliminate Password use (not the ability to use) but, seems kind of like an insane implementation of it.

I am very confused, as when initiating the adding of a passkey as a second factor or as a login device, in both cases I could add them when initiating the process on my Android phone’s browser, but the process times out when trying to add it from my browser :confused: ???

Passkeys are great, but each website uses them completely differently, sometimes I can make it work, sometimes not, confusing as hell.