Any way to prevent Windows Hello from being used as the second factor? #143
Comments
|
There are no plans for such restrictions. |
|
I would ask you to reconsider that. With platform-bound passkeys becoming more and more popular, there are increasing chances that (especially not tech-savvy) users will succumb to OS prompts and register platform-bound passkeys instead of cross-platform ones. Please let the instance administrators either make that choice themselves; or leave it up to users. As it's with 2FA now: they can enforce it; or leave up to users. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Question
Hi Christoph,
Thanks for the great U2F and WebAuthn Nextcloud apps. We have handed out Yubikeys to all of our employees and external partners and use them for second-factor Nextcloud authentication.
I was wondering if you had seen this issue, whether you have any advice:
https://help.nextcloud.com/t/nextcloud-allowing-login-with-windows-hello-bypassing-yubikey/131216
When we tried switching from U2F to WebAuthn (to support Chrome's deprecation of U2F), what we are finding is that on Windows under Chrome, users are able to log in using Windows Hello as the second factor, bypassing the Yubikey.
For now our workaround is to continue with U2F rather than WebAuthn, and we require users to use Firefox to authenticate.
Thanks,
Brad
Summary
Windows users are able to bypass Yubikey second-factor authentication, using local Hello credentials.
The text was updated successfully, but these errors were encountered: