Disable U2F 2FA for Webauthn passwordless logins

[soxhi8]

Currently "User Verification" for FIDO2 is set to "Discouraged" (#21880), users are always able to use passwordless login without entering a PIN or the like.
It is also possible to use a FIDO2 key as a U2F device at the same time. Essentially it enables passwordless login by owning the key and knowing the username/email. That is avoidable on a personal level, but might be a risk on a larger deployment.

Disabling U2F as a second factor for passwordless logins would avoid the risk of owning a masterkey to an account.

[kowalski7cc]

It's not clear if a duplicate of #21215?

[soxhi8]

Similar problem, different issue. I want to enforce 2FA, since the current process is not 2FA, if the same hardware key can be used for both.
#21215 wants Webauthn as singular login, without additional 2FA.

[My1]

I think we should set userverification to required, and obviously the UV flag should be checked, shouldnt be too big of a challenge.

from one project I do Webauthn I do it like this, this assumes all other checks like signature etc being sone seperately, but maybe things like this could be used first to prevent any kinds of oracles about existing devices etc.

$flags=ord($authenticatorData[32]);
$trueuv=!!($flags & 4); //force to boolean
if($trueuv === false) {
  //deny login
}

[kowalski7cc]

It makes sense to avoid users registering the same webauthn device for both factors (username/webauth -> webauth), but I think also #21215 should not require (but optionally allowing) the classic "2fa" and instead require the device verification (pin, fingerprint)

[My1]

I would say that I dont think it's a problem if one can use the same device on both methods, I would tho use discouraged on the login with password and Required on the passwordless login.

[MrAxle]

I'm finding the login methods on NC increasingly confusing. Being able to login with the same Yubikey for both WebAuthn and U2F is not what I'd call "Multi-factor authentication" (or even "2 factor authentication"), as both are "something you have", and with no user verification set there is no "something you know". My first thought when I discovered this behaviour was that I'd found a bug/security vulnerability that bypassed the MFA/2FA requirement.

Is this something that is best managed here? Or would it be better managed in the U2F addon repository? Does having the various different authentication mechanisms as different addons causing problems like this?

[szaimen]

Let's track this in #21215