Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UI to setup FIDO keys is not available until after setting up TOTP #17495

Closed
Be-ing opened this issue Oct 30, 2021 · 4 comments · Fixed by #11573
Closed

UI to setup FIDO keys is not available until after setting up TOTP #17495

Be-ing opened this issue Oct 30, 2021 · 4 comments · Fixed by #11573

Comments

@Be-ing
Copy link

Be-ing commented Oct 30, 2021

Gitea Version

1.15

Git Version

No response

Operating System

No response

How are you running Gitea?

https://codeberg.org

Database

No response

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Description

Configuring an account to use FIDO keys to log in first requires configuring TOTP. This is problematic because TOTP is harder to user and vulnerable to phishing.

Screenshots

image
image
@Be-ing Be-ing mentioned this issue Oct 30, 2021
Open
@LeeteqXV
Copy link

LeeteqXV commented Oct 30, 2021
edited
Loading

Ref. my original comment over at Mastodon (same issue):
mastodon/mastodon#16693

"Just for the clarity: WebAuthn, also referred to as "passwordLESS", is actually replacing the 1st factor - namely the password - not the second factor. It is not a 2FA alternative.
Policywise, any site should have the option to choose whether or not to use 2FA, but still be able to choose to offer WebAuthn instead of passwords, and some sites might even want to say to all users that do NOT want to use 2FA, that then they must use WebAuthn instead of "just password", because passwords alone is worse...
(allthough that is not very good, as someone who gets hold of the usb key can then get in without any other information, so it is always recommended to "enforce" 2FA anyway, IMO)
regardless, this issue should move ahead anyway."

@LeeteqXV
Copy link

Plus my second comment there:
mastodon/mastodon#16693 (comment)

@zeripath
Copy link
Contributor

zeripath commented Nov 6, 2021

#11573

@zeripath zeripath mentioned this issue Nov 6, 2021
Merged
6543 pushed a commit that referenced this issue Nov 8, 2021
@kdomanski
Allow U2F 2FA without TOTP (#11573)
021df29 
This change enables the usage of U2F without being forced to enroll an TOTP authenticator.
The `/user/auth/u2f` has been changed to hide the "use TOTP instead" bar if TOTP is not enrolled.

Fixes #5410
Fixes #17495
@Myridium
Copy link

The accepted pull request does not really resolve the issue fully.

WebAuthn / FIDO2 is both factors in one, it is not a second factor only. The user has 'something they own' (the hardware key) and 'something they know' (the PIN for the device) and possibly also 'something they are' (biometric data).

The WebAuthn standard is meant to allow users to log in passwordless. E.g. with a Yubikey Bio, no password is needed, and no PIN is needed unless you mess up the fingerprint scan a couple of times. This is still two factors of authentication.

Also note this warning regarding the current protocol Gitea is using:

Image

Chianina pushed a commit to Chianina/gitea that referenced this issue Mar 28, 2022
@kdomanski
Allow U2F 2FA without TOTP (go-gitea#11573)
5982627 
This change enables the usage of U2F without being forced to enroll an TOTP authenticator.
The `/user/auth/u2f` has been changed to hide the "use TOTP instead" bar if TOTP is not enrolled.

Fixes go-gitea#5410
Fixes go-gitea#17495
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow U2F 2FA without TOTP
4 participants
@zeripath @Myridium @Be-ing @LeeteqXV