Webauthn authentications using user verification should not be subject to two-factor challenge #869
Description
How to use GitHub
- Please use the 👍 reaction to show that you are affected by the same issue.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
I'm logging into Nextcloud AIO (Nextcloud Hub 10 31.0.9) using passwordless webauthn via an NFC passkey, but once I authenticate, I'm challenged by two-factor. When logging in with a FIDO2 resident key (passkey) I should not be subject to 2FA as passwordless authentication already integrates user verification requirements such as PIN or biometric user identification.
Steps to reproduce
- register a passwordless (passkey) authenticator for account
- also set totp two-factor up for account
- also register a fido u2f security key for account
- attempt to "log in with device"
Expected behaviour
When logging in with a password, I should then be challenged by configured 2FA channels like TOTP or U2F FIDO security key. However, when I authenticate using a passkey via Webauthn, with user verification, I should not be challenged for additional 2FA.
Actual behaviour
When I authenticate using a passkey via Webauthn, with user verification, I am also challenged to complete an additional 2FA. At the very least, this should be configurable under Webauthn settings if 2FA should apply to Webauthn authentications, particularly where user verification is supported and used by the FIDO2 resident key solution (security token / passkey).