The following problem:
I have several users on Nextcloud who are successfully using 2Factor_totp.
Now I will successively introduce passwordless login with the Fido2-Security-sticks.
I have enabled Force 2Factor_totp in the administration settings to guarantee security for all users of 2Factor_totp.
If the users register their Fido2-Security-stick they will be added to a new group which is excluded from using the 2Factor_totp. Of course, I don’t want to activate the 2nd factor for the Fido2 users to remove the Fido2 comfort again.
However, this setting also has the consequence that the new Fido2 users can now log in alternatively via the conventional way using a password/user name, but this time without the 2nd factor… This reduces security!!!.
HOW DO I BEST SOLVE THIS SITUATION?
I would like to
1. still have users who only use the login with 2Factor_totp
2. at the same time have users who exclusively use Fido2.
So comfortably passwordless and without 2nd factor.
I assume that this is only possible via the group rules.
Thanks for hints/tips