UI to setup FIDO keys is not available until after setting up TOTP

[Be-ing]

Gitea Version

1.15

Git Version

No response

Operating System

No response

How are you running Gitea?

https://codeberg.org

Database

No response

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Description

Configuring an account to use FIDO keys to log in first requires configuring TOTP. This is problematic because TOTP is harder to user and vulnerable to phishing.

Screenshots

[LeeteqXV]

Ref. my original comment over at Mastodon (same issue):
mastodon/mastodon#16693

"Just for the clarity: WebAuthn, also referred to as "passwordLESS", is actually replacing the 1st factor - namely the password - not the second factor. It is not a 2FA alternative.
Policywise, any site should have the option to choose whether or not to use 2FA, but still be able to choose to offer WebAuthn instead of passwords, and some sites might even want to say to all users that do NOT want to use 2FA, that then they must use WebAuthn instead of "just password", because passwords alone is worse...
(allthough that is not very good, as someone who gets hold of the usb key can then get in without any other information, so it is always recommended to "enforce" 2FA anyway, IMO)
regardless, this issue should move ahead anyway."

[LeeteqXV]

Plus my second comment there:
mastodon/mastodon#16693 (comment)

[zeripath]

#11573

[Myridium]

The accepted pull request does not really resolve the issue fully.

WebAuthn / FIDO2 is both factors in one, it is not a second factor only. The user has 'something they own' (the hardware key) and 'something they know' (the PIN for the device) and possibly also 'something they are' (biometric data).

The WebAuthn standard is meant to allow users to log in passwordless. E.g. with a Yubikey Bio, no password is needed, and no PIN is needed unless you mess up the fingerprint scan a couple of times. This is still two factors of authentication.

Also note this warning regarding the current protocol Gitea is using: