Improving security (U2F)


#1

U2F hardware tokens like yubikey or nitrokey significantly boost the security of online services. the U2F-only nitrokey is only 9€, there’s probably even cheaper ones, as low price was a design goal for the standard. there’s a variety of free software libraries ready to use.

nextcloud already supports this in an amazingly intuitive way: activate the use of an U2F device in your personal settings and press the device button – that’s it. from now on, in addition to user name and password, you need to have the hardware key plugged in and press its button (to create the one-time password) to be able to log in to your account. you also have to use device specific passwords (which nextcloud generates for you), e.g. to sync data with mobile devices or a desktop app, this won’t function any longer with your user name + password combination, until you deactivate the use of your U2F device again.

i assume we can agree that having this extra layer of security is desirable.

therefore, i would like to discuss some suggestions for future implementation:

  1. multiple passwords per account
    this isn’t U2F specific and should be possible anyway, IMHO. you’d no longer use your actual login credentials everywhere to sync libraries. in case of one device being compromised, you’d just have to revoke this single password. even if it’s only ever used once to authenticate a particular client, it would still be preferable to not have to use the login data to add clients.

    it would be amazing if you could treat these like “subusers” of your own user account and define/limit their access to your libraries (e.g., show your mobile phone only a selection of libraries, some of them also in read-only mode). in fact, i’ve always created dummy-accounts on my seafile server to emulate this behaviour, as i didn’t like the idea of entrusting e.g. android devices with my login data. see also 4. below.

  2. U2F support for seahub
    add an option to register a U2F key. then for logins, after user name and password are validated, demand one of the registered U2F tokens to gain access to one’s personal account. you’d also need to implement some sort of secure fallback method, just in case someone loses the U2F key. nextcloud generates backup codes for this case which you can download and print/store in a secure location.

  3. support multiple U2F devices per account
    as an alternative backup measure to not lose access to your data.

  4. U2F support in the desktop clients
    once a user has activated a U2F device for his/her account, the clients would also need the key to initially authenticate when the account is being added. the problem is that this cannot be enforced easily on mobile clients (at least without NFC-capable hardware or USB OTG). so you’d still need to use passwords from 1. as a fallback method.

  5. a new checkbox in the sharing functionality to activate U2F for individual libraries
    if checked, this would add new restrictions to these libraries, similar to using encryption: sharing publicly is impossible, sharing with other users only possible if they also have registered a U2F device, only using clients which have been authenticated using U2F, and only when the key is provided when initially syncing this library.

  6. possibility for admin to force a user to use U2F
    similar to forcing someone to set a new password, this could be useful for organisations to enforce better control over access to data. it would only allow new users to activate their account if they also registered a U2F token. this completes the chain: users must register a U2F device, they can only access their account with the key, can only register clients with both unique passwords and the key, and (probably) can also only start syncing certain libraries with the key.

i’ve written this down in order of my personal priorities. well, that’s my ideas so far. let’s hear it :wink:


#2

+1 I appreciate your suggestions very much.


#3

since there’s now some second factor support in the server already, would you consider looking into 2. and 3. of my suggestions?


#4

+1

any ETA on this?
Yubikey support would be good and quite a must have in todays cloud business


#5

+1

I really like to see FIDO2 / WebAuthn Support.


#6

+1 Would be great e.g. with Google’s Titan Key.