Web Authentication

[franziskuskiefer]

Feature Request

Support Web Authentication

Summary

This extension only implements the proprietary fido protocol for two-factor authentication.
To support non-google browsers the web standard Web Authentication should be implemented.

[ChristophWurst]

This was discussed in #69 a bit.

Do you happen to know a few examples of how to use that?

[franziskuskiefer]

This hacks post gives a rough overview and a couple links to more resources.
The DUO demo looks like a good example

[ccoenen]

I would like to request to have this added to the next milestone.
(Edit: Webauthn is now a w3c recommendation: https://www.w3.org/TR/webauthn/ )

[ChristophWurst]

I would like to request to have this added to the next milestone.

This is not how it works 😉

There are many way to get new features in Nextcloud:

1. The easiest and most straight forward way (especially here at Github): pull request.
   Nextcloud is completely Free Software, this means that everyone is welcome to join and to contribute. If you or anyone else want to work on this feature, this would be great! We appreciate every pull request, and we are definitely able to help in case of questions, reviews, etc.

2. Another option is creating a bounty at Bountysource, although just putting money on an issue doesn't guarantee that someone picks it up (in time). But in general it is a nice way to support the huge Nextcloud community. In case of a Nextcloud GmbH employee picks up the bounty we will give it back to the community by putting the money back on other bounties to make sure all bounties benefit the Nextcloud community.

3. We have a category for Freelancers in our form. Another option would be to post an offer there and try to find a freelancer who want to work on it.

4. The most direct way for a company or organization to get the issue addressed is to get a Enterprise Subscription. This includes everything to enable you to run Nextcloud in a productive environment with guaranteed SLA's and more. The Enterprise Subscription also includes optional professional services such as custom development. Feel free to reach out to us. We are happy to explore the possibilities how to make Nextcloud fit your needs.

[simonspa]

@ChristophWurst would you rather have this feature in the twofactor_u2f app or in a separate app?

[ChristophWurst]

I don't know yet. This depends on whether it would be used as second factor or primary authentication method.

[simonspa]

Ah, you're right, I haven't even thought of it as replacement, just as second-factor. Let me know when you reached any conclusion, I would be interested in working on this.

[jsfrederick]

It COULD be used a a primary authentication, the protocols support that. Really depends on how you want to implement. I, too, would love to see WeAuthn/FIDO2 support in Nextcloud

Here is a good overview of Webauthn and FIDO2: https://developers.yubico.com/FIDO2/FIDO2_WebAuthn_Developer_Guide/

Here are some libraries that can be used: https://developers.yubico.com/FIDO2/Libraries/

Some good WebAuthn Demo Sites:
https://demo.yubico.com/webauthn
https://www.webauthn.org/
https://webauthn.io/

Here is an interesting possibility. YubiKey with a lightning connector for iOS devices.
https://www.yubico.com/2019/01/yubico-launches-the-security-key-nfc-and-a-private-preview-of-the-yubikey-for-lightning-at-ces-2019/

[michib]

I have started an implementation for Webauthn: https://github.com/michib/nextcloud_twofactor_webauthn.
For this project i shamelessly used @ChristophWurst implementation for u2f as a template ;-). And copied a lot of code from the docs of https://github.com/web-auth/webauthn-framework.

The current state is: It's possible to register a device with webauthn and authenticate with it for 2fa. Missing features are the automatically 2FA activation for an user, tests (all of it) and there are a lot of files where the credits to this project and webauthn-framework are missing.

[jonathancross]

@michib Exciting to see the progress!

[Bubu]

I was a bit confused just now where webauthn support in my nextcloud came from and it seems it's part of nextcloud server core since v19. So I suppose this can be closed now?

[ChristophWurst]

I was a bit confused just now where webauthn support in my nextcloud came from and it seems it's part of nextcloud server core since v19. So I suppose this can be closed now?

Yes! That was done in nextcloud/server#19858