diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2020-07-16 21:10:07 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2020-07-16 21:10:07 +0200 |
| commit | 884f3d009a8b81422b1f9275a21d5b125066af73 (patch) | |
| tree | e110a11350262dbc46016b7028a905bc0fff2af1 /lib | |
| parent | da4f3559c5f1ab5db77e2cb06c2d618fb228313b (diff) | |
| download | nextcloud-server-884f3d009a8b81422b1f9275a21d5b125066af73.tar.gz nextcloud-server-884f3d009a8b81422b1f9275a21d5b125066af73.zip | |
Discourage webauthn user interaction
Else people might have the feeling this is also doing 2FA. And since it
is only prefered it can be ignored and hacked around.
Once we have proper 2FA with webauthn in one go this probably needs to
be revisted.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Authentication/WebAuthn/Manager.php | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/private/Authentication/WebAuthn/Manager.php b/lib/private/Authentication/WebAuthn/Manager.php index cc3e9aba1cc..4415badc9b0 100644 --- a/lib/private/Authentication/WebAuthn/Manager.php +++ b/lib/private/Authentication/WebAuthn/Manager.php @@ -107,7 +107,11 @@ class Manager { $excludedPublicKeyDescriptors = [ ]; - $authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(); + $authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria( + null, + false, + AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED + ); return new PublicKeyCredentialCreationOptions( $rpEntity, @@ -186,7 +190,8 @@ class Manager { random_bytes(32), // Challenge 60000, // Timeout $this->stripPort($serverHost), // Relying Party ID - $registeredPublicKeyCredentialDescriptors // Registered PublicKeyCredentialDescriptor classes + $registeredPublicKeyCredentialDescriptors, // Registered PublicKeyCredentialDescriptor classes + AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED ); } |