WebAuthn passwordless login should not be subject to two-factor challenge

[amalg]

Steps to reproduce

1. enable totp for account
2. register security key (u2f) token for account
3. register webauthn fido2 resident key (passkey) passwordless token for account
4. log in with webauthn passwordless token
5. be asked for additional two-factor authenication

Expected behavior

totp and / or u2f security keys are meant as a second factor when used with account passwords. webauthn passkey / fido2 resident key authentications do not need two-factor rules applied because passkeys already challenge the user for a second factor. the first factor is possession of the token (or device with passkey) and the second factor is a pin code or biometric confirmed by the fido authenticator device.

when authenticating (logging in) to nextcloud "with a device" by way of webauthn authentication, additional two-factor methods like totp or u2f security key challenges should not be applied.

at the very least, allow individual and/or administrators to toggle application of additional two-factor challenges to passwordless authentication methods.

Actual behavior

when logging in with webauthn passwordless device (fido2 res key / passkey), if totp or u2f security key options are registers for the account, the user is challenged with an additional 2fa requirement after successful webauthn authentication.

[szaimen]

Hi, feel free to create a feature requeat for this here: https://github.com/nextcloud/server