I noticed that when I use my YubiKey with passwordless sign-in, Nextcloud does not prompt me for my FIDO2-PIN. It looks like the request includes userVerification: discouraged. Is there any way to change that to required or at least preferred? Because currently it feels very insecure.
I don’t know if requesting the PIN is in the responsibility of Nextcloud at all, because once you have started a key authentication a window is opened by the web browser, which is communicating with the hardware key - at least if you use Firefox 
It is the responsibility of Nextcloud or rather any website. Sadly most websites don’t require PIN for authentication. I have already edited the Nextcloud php to require authentication, but that obviously gets reverted by the next update. So I am asking if there would be any way to implement it permanently into Nextcloud.
1 Like
I would recommend to file pull request with desired changes.
There is definitely a trade-off between security and usability and while most of people would consider FIDO2 key without PIN to be secure enough definitely PIN verification is not without a reason part of FIDO protocol.
Ideally there would be a server-side setting to adjust the security level to your needs.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.