Fido2 optional discoverable credentials for stable32 #57154
Conversation
- require resident keys/UV for new FIDO2 registrations, but retry without if unsupported - allow username-less login by probing discoverable credentials first, then fall back to the old flow - keep legacy (non-discoverable) registration/login paths working for older authenticators
swissbit-eis-admin
requested review from
Altahrim,
nfebe,
salmart-dev,
skjnldsv,
szaimen and
yemkareems
and removed request for
a team
|
would be great to pull in NC32... |
| $authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria( | ||
| AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE, | ||
| AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED, | ||
| AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_NO_PREFERENCE, |
There was a problem hiding this comment.
RESIDENT_KEY_REQUIREMENT_DISCOURAGED recommended
|
In my opinion, the correct thing to do would be to treat all WebAuthn credentials as a form of :
At least, this is how it's implemented right now: existing non-discoverable credentials are form of passwordless login (and the corresponding header in WebAuthn credentials are generally regarded as secure and thus do not require 2FA. 2FA is usually required for passwords only, in order to compensate for some of their weaknesses (passwords can be stolen/leaked, reused/sprayed, bruteforced etc, unlike WebAuthn credentials). UV is a whole different dimension. It's goal is to protect WebAuthn credential on user's side from unauthorized use. Imagine if someone finds a Yubikey in the street with
Note another use case for WebAuthn: on many websites, it's used as a better alternative to TOTP codes. In this case, UV is indeed optional, or even often discouraged, because the user already has to provide a password. By the way, this is exactly how it's implemented with Two-Factor WebAuthn app. A good UX example would be GitHub itself: https://github.com/settings/security We have:
Their docs are actually very good and worth reading: https://docs.github.com/en/authentication/authenticating-with-a-passkey/about-passkeys So, I'd envision the UI in Passwordless AuthenticationSet up your account for passwordless authentication following the FIDO2 standard. These credentials can be stored on hardware keys, or managed by your OS, or in some password managers. The following WebAuthn credentials are configured for your account:
Register new WebAuthn credential:
As for my proposal for an option to disable UV for passwordless logins (not usernameless+passwordless!), it could be hidden inside that |
swissbit-eis-admin
changed the title
...you did not have a chance to take a look at the code in this PR, right? I added a comment also in the code for your proposal (RESIDENT_KEY_REQUIREMENT_DISCOURAGED). As a conclusion: UV (PIN) required for discoverable credentials I tested the existing function and the new function, both have a smooth path through the UI. |
|
My proposal is to make the UI/UX more friendly to an average user that has zero idea of what 'resident FIDO2 credential' is. Unfortunately, I'm not familiar with Vue (neither I would choose vibe-coding it without knowledge) so I won't be landing a PR right now. And thank you very much for your work!!! |
|
To avoid confusion leading to the doc or to the UI:
FIDO2 with a PIN is a 2FA login, (you own the key and know the PIN), this is what says the quote of the specs you shared ( This type of login satisfy both password and 2FA requirements, so you can complete your sign in with a single step, safely and easily, without requiring a password and two-factor authentication.) This is also why, when used as a 2FA (after typing the password), it is used without a PIN. This kind of login was previously specified as U2F, superseded by FIDO2. U2F is the legacy protocol, it was only possible to use it that way. Finally, about the names of the protocol: passkey is a "marketing" name for WebAuthn, specified by FIDO2 (discoverable or not, usually for passwordless login, but sometime for 2FA too). Usually either FIDO2 or Passkey are used, interchangeably. Today, on Nextcloud, the section is about "Passwordless authentication", and the button about "webauthn". I have no opinion about "passwordless authentication", it is probably good. It would be great to rename Webauthn. Regarding the option for discoverable keys, we can use "Use discoverable key" to match the protocol specifications, or "Login without username" to describe what it does. |
|
The point of 2FA column in my table is just to indicate whether the server should request a separate 2FA step (which is indeed unnecessary with pure WebAuthn logins), nothing more, nothing less :) I agree that there's a lot of confusion already (even among devs) so we should use as precise wording as possible, and in the same time keep it as simple as possible. Thus I would prefer
so it would be more clear to end users (with a hint about discoverable credential in a tooltip, and a proper description in docs). |
|
Here's a proposal: Login screen:
Security Settings Section like "Passwordless login with device" in users security Settings
I really would like to finish this. In the end this is just my proposal that is ultimately up to the maintainers to accept or not. The more rephrasing , the more religion on UI comes into play then nothing will improve. Nextcloud needs the feature in my view pretty urgently independent from some words and I think it is security and usability wise a big step forward. Can you accept a different view on UI also and live with above? |
4 participants
Please refer to PR to master: #57151
Both have similar function
Successor of #57140
Summary
This allows user to register discoverable and non-discoverable FIDO2 passkeys in user settings.
If user tries to login with second factor and omits email login -> discoverable credential attempted
if user fills in email at login -> classic host side credentials are used.
TODO
Checklist
3. to review, feature component)stable32)