nextcloud/twofactor_u2f

NFC U2F on iOS not supported

kc9jud opened this issue · 9 comments

Steps to reproduce

  1. Log in to Nextcloud.
  2. Select U2F as second factor.

Expected behaviour

iOS prompt for NFC security key should appear. Example from Yubico demo site:
2E728F07-EAFE-4FEA-831C-9F70F3D114AE

Actual behaviour

“An error occurred: U2F not supported.”
A5D66F02-6284-4201-AFB2-684582A4B369

Server configuration

Operating system: Ubuntu 16.04 LTS

Web server: nginx/1.14.0 (Ubuntu)

Database: MariaDB 10.1.43-MariaDB-0ubuntu0.18.04.1

PHP version: PHP 7.2.24-0ubuntu0.18.04.2 (fpm)

Version: 17.0.2

Updated from an older version or fresh install: Updated from Nextcloud 16

List of activated apps:

Enabled:
  - accessibility: 1.3.0
  - activity: 2.10.1
  - calendar: 2.0.0
  - camerarawpreviews: 0.7.3
  - cloud_federation_api: 1.0.0
  - comments: 1.7.0
  - contacts: 3.1.6
  - dav: 1.13.0
  - federatedfilesharing: 1.7.0
  - federation: 1.7.0
  - files: 1.12.0
  - files_accesscontrol: 1.7.0
  - files_pdfviewer: 1.6.0
  - files_rightclick: 0.15.1
  - files_sharing: 1.9.0
  - files_trashbin: 1.7.0
  - files_versions: 1.10.0
  - files_videoplayer: 1.6.0
  - firstrunwizard: 2.6.0
  - gallery: 18.4.0
  - logreader: 2.2.0
  - lookup_server_connector: 1.5.0
  - mail: 1.0.0
  - music: 0.12.1
  - nextcloud_announcements: 1.6.0
  - notes: 3.1.1
  - notifications: 2.5.0
  - oauth2: 1.5.0
  - password_policy: 1.7.0
  - privacy: 1.1.0
  - provisioning_api: 1.7.0
  - recommendations: 0.5.0
  - serverinfo: 1.7.0
  - sharebymail: 1.7.0
  - spreed: 7.0.2
  - support: 1.0.1
  - survey_client: 1.5.0
  - systemtags: 1.7.0
  - text: 1.1.1
  - twofactor_backupcodes: 1.6.0
  - twofactor_totp: 4.1.2
  - twofactor_u2f: 5.0.2
  - updatenotification: 1.7.0
  - viewer: 1.2.0
  - workflowengine: 1.7.0
Disabled:
  - admin_audit
  - bruteforcesettings
  - encryption
  - files_external
  - theming
  - user_ldap

The content of config/config.php:

{
    "system": {
        "apps_paths": [
            {
                "path": "\/var\/www\/nextcloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/nextcloud\/extra-apps",
                "url": "\/extra-apps",
                "writable": true
            }
        ],
        "supportedDatabases": [
            "mysql"
        ],
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.patrickfasano.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "17.0.2.1",
        "overwrite.cli.url": "http:\/\/nextcloud.patrickfasano.com",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "overwritehost": "nextcloud.patrickfasano.com",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "PLAIN",
        "mail_sendmailmode": "smtp",
        "mail_smtpauth": 1,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "tls",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "loglevel": 2,
        "theme": ""
    }
}

Client configuration

Browser: Mobile Safari

Operating system: iOS 13.3 (17C54)

Logs

Web server error log

N/A

Server log (data/nextcloud.log)

N/A

Browser log

Hard to get without iOS developer tools...

updated with additional info

https://www.npmjs.com/package/u2f-api is what we use for the detection. It says Safari still lacks u2f support. Has that changed recently?

Guess this has to be fixed upstream: grantila/u2f-api#26. Once that is included our app should work with Safari as well :)

I had a similar problem of choosing nfc u2f on some android phones and thanks to yubico I solved installing google authenticator application this for chrome mobile. I don't know if you have a problem with chrome mobile.

I reported bugs here

#538

That’s different — I have the NFC OTP app, so I can log in with my Yubikey if I use it to generate a one-time password. This issue is about U2F, a different type of second factor authentication.

then let's clarify two things:

yubico otp and yubico u2f are two ways of using the second authentication factor.

that said, how to use these two factors on a mobile phone depends on us, via USB, via NFC.

in android I had the problem of using yuvico u2f nfc because the key acceptance screen in chrome did not appear,

64957433-3ef8ec80-d88d-11e9-90c9-271bfc13ddcc

solved by installing google authenticator.

for yubico otp in android approaching my yubico 5 nfc to the mobile phone it makes me open a yubico page whereI enter my 64 digit otp code code which obviously changes every time i use otp. but the concept is that.

nextcloud that i also use does not support yubico otp but only ybico u2f or via nfc or via usb. then try to use google chrome and not ios and see if it alternatively installed google authenticator app and try

There's also a third option, which I was talking about: there's also TOTP support on Yubikey 5, which can be generated Yubico Authenticator.

In any case, this is an iOS-specific issue, and depends on the upstream JS library support. I can confirm that Google Authenticator doesn't interact here, and using Chrome on iOS doesn't work either.

It's now fixed upstream as of Jan 25.
grantila/u2f-api#26 (comment)

Cool. I just integrated #849