WebAuthn passwordless login should not be subject to two-factor challenge #57278
Description
This request was opened by amalg on Sep 25 in all-in-one-issue 6895
There was a hint to open a feature request here. I could not find any request like this.
amalg did describe the case very well, so I just pasted his request here again.
Hoping to find in future the choice to use passwordless without MFA. But keeping MFA for basic authentication.
"Steps to reproduce
enable totp for account
register security key (u2f) token for account
register webauthn fido2 resident key (passkey) passwordless token for account
log in with webauthn passwordless token
be asked for additional two-factor authenication
Expected behavior
totp and / or u2f security keys are meant as a second factor when used with account passwords. webauthn passkey / fido2 resident key authentications do not need two-factor rules applied because passkeys already challenge the user for a second factor. the first factor is possession of the token (or device with passkey) and the second factor is a pin code or biometric confirmed by the fido authenticator device.
when authenticating (logging in) to nextcloud "with a device" by way of webauthn authentication, additional two-factor methods like totp or u2f security key challenges should not be applied.
at the very least, allow individual and/or administrators to toggle application of additional two-factor challenges to passwordless authentication methods.
Actual behavior
when logging in with webauthn passwordless device (fido2 res key / passkey), if totp or u2f security key options are registers for the account, the user is challenged with an additional 2fa requirement after successful webauthn authentication."