prefer UserVerification = ask for device PIN
jans23 opened this issue · 1 comments
jans23 commented
In Nextcloud, logins via WebAuthn are single-factor authentications and not two-factor authentications. In #41 and #69 UserVerification was set to DISCOURAGED with the reasoning that the WebAuthn authentication is used after a login authentication. However, this reasoning is wrong because when enabling and configuring WebAuthn it is used instead of a password login and not after a password login. The best practice, also recommended by WebAuthn, is to set UserVerification to Preferred and it should be applied here too. Hence, I suggest to revert #69 .
jans23 commented
I just noticed that I should have created this issue to the server and not the twofactor_webauthn module.