Problem: Run users with different access types (Fido2 & 2Factor_totp) at the same time

The following problem:
I have several users on Nextcloud who are successfully using 2Factor_totp.

Now I will successively introduce passwordless login with the Fido2-Security-sticks.

I have enabled Force 2Factor_totp in the administration settings to guarantee security for all users of 2Factor_totp.

If the users register their Fido2-Security-stick they will be added to a new group which is excluded from using the 2Factor_totp. Of course, I don’t want to activate the 2nd factor for the Fido2 users to remove the Fido2 comfort again.

However, this setting also has the consequence that the new Fido2 users can now log in alternatively via the conventional way using a password/user name, but this time without the 2nd factor… This reduces security!!!.

HOW DO I BEST SOLVE THIS SITUATION?

I would like to
1. still have users who only use the login with 2Factor_totp

and

2. at the same time have users who exclusively use Fido2.
So comfortably passwordless and without 2nd factor.

I assume that this is only possible via the group rules.

Thanks for hints/tips

Cheers Frank

So you

  • don’t want certain users to use 2FA
  • are surprised they can log in without 2FA

so?

Yes you can configure this as an admin.

Ok, is it then also possible that a user who has activated and registered Fido2 is no longer able to login with a password?

No that is not possible right now. Password login is always an option.

So it is actually better to leave 2FA generally activated?

Right now I would say so because the fido2 login is also not ensured to be a two-factor protected login. There is an option for that in the webauthn spec IIRC and we don’t check/enforce that yet. So the regular 2FA on top is recommended.

So the passwordless Fido2-login (which is currently the strongest security standard) would not (yet) be that comfortable, because I still have to type in the 6-digit numeric code of the 2F_totp afterwards (according to the recommendation).

Do I see this correctly?

What are you trying to achieve with this conversation? Are you hear to search free support or is this just for ranting? If it’s the latter then please stop at this point.

I explained what works and what does not.

This seems to be a misunderstanding

Since Nextcloud 19 advertised password-free login as a convenient and secure solution and I want to switch several users from 2F_totp to Fido2_webauthn and at the same time keep several users 2F_totp, I did indeed have open questions.

I don’t understand your excitement right now. My presentation and especially my expression was absolutely correct, I did not offend you. I just wanted to have the problem confirmed, because it is not easy for me to understand the technical problem.

1 Like

Hello there,

I have a similiar need as @frank.scheuer does:
If a user has enable FIDO2 as a way to login, I do not want to have 2FA in place.
I created a Github request a few months ago: https://github.com/nextcloud/server/issues/21215

As an example of my need I may put the Microsoft login process as an example:
Login method 1) I enter my username/email address as well as my password in the 1st step. Then I get asked for my TOTP. Login successful.

Login method 2) No need to enter my username/email address. At Windows 10 a window pops up asking my for my key PIN. I enter it and have to push a button and get logged in.

so let’s continue there?

https://github.com/nextcloud/server/issues/21215#issuecomment-638831549 and https://github.com/nextcloud/server/issues/21215#issuecomment-678773516 pretty much sum up the current limitations and why we can’t blindly disable 2FA for webauthn logins as @frank.scheuer would suggest.

Nextcloud would have to make sure the webauthn device is two-factor protected. Only then it can count as a valid replacement for the 2FA in the application, like Nextcloud in our case.

@arrow_to_knee the two flow you describe make sense. This is likely what has to be done to finish https://github.com/nextcloud/server/issues/21215 but I’m not an expert of webauthn by any means.

So, again, let’s continue in the the ticket instead of branching this discussion off onto a new thread. Most of the requirements is there. What we now need is someone who delivers the required changes and helps maintain the feature afterwards.

I agree which makes sense as suggestion and developer notification is already at Github.

:+1: I agree with that too. In Github things are already described. Hopefully someone can be found who can remove the restrictions in time. Only then Fido2_webauthn with its passwordless login will be as comfortable as it should be.

1 Like

This topic was automatically closed after 4 days. New replies are no longer allowed.