Two-factor authentication with yubikey on android

Dear All,

On NC24 wtih Two-Factor WebAuthn app, I am well able to use hardware tokens as long as I am on a Linux or Windows PC. That does include both two-factor authentication (= password plus key) and passwordless authentication.

What I would really like to achieve is to use an NFC yubikey also on android in the variant of two-factor authentication (= password plus key). When I try that using chromium on android, everything does work passwordless: A white page does present the question if one wants to use NFC or USB …, one holds the NFC key close to the smartphone and authentication does work. However, the other variant (two-factor authentication = password plus key) does not seem to work on android (while it is fine on the desktop PC): Authentication seems to fail before the question about NFC and alternatives is presented.

Can someone please be so kind to point me to the right solution? Should I file an issue at Github under the Two-Factor WebAuthn app?


Michael Schefczyk

I use on Android the Nextcloud app and not the browser … browser on mobile makes no really sense.

After first login (user and password) the app does not use user and password but a session key. You can find it out here: https://cloud.server.tld/settings/user/security

You can easily find out. Change the Nextcloud password via the browser on the PC and you don’t have to change it in the app. The key still exists.

I think 2FA would only make sense if you install Nextcloud on a new Android device (e.g. a hacker). Whether this is possible, I do not know.

Thank you very much. I should have mentioned that I am using client certificates in front of the regular login screen. Client certificates do not work with the app. For that reason, there is probably no room for the mode I am looking for.

Years ago I also used client certificates. It’s really great in the browser. But basically I think using the smartphone apps is far better and more secure than the smartphone browser. Here the client certificates are more of a hindrance I would say.

But I think if you already use client certificates, you can do without 2FA with yubikey. That’s really double then, isn’t it? Normally, no one hands over their smartphone, and it also has to be unlocked. Conversely, the client certificate is useless if the smartphone is stolen and hacked. But also applies when using the smartphone app from Nextcloud.