Nextcloud introduced WebAuthn passwordless authentication with version 19. As far as we understand, you assume that your implementation provide two-factor authentication:
βThe server asking for authentication can request verification of multiple factors, so that a configured key requires the user to not just plug it in but also enter a PIN or scan a finger print.β (see https://www.nitrokey.com/news/2020/what-passwordless-world-looks )
We found the same issue like in Microsoftβs implementation: userVerification is not set and the UV flag is not checked on the server. Thus, even though a FIDO2 key with a PIN is added in a user account, the PIN is not required to log in.
The full description is available in our unlisted blog post at: https://hwsecurity.dev/2020/06/webauthn-pin-bypass/
We have a nice video in our blog post: https://hwsecurity.dev/2020/06/webauthn-pin-bypass/
An attacker could log into the victims account without a PIN by sneaking up on the victim and using the security hardware over NFC.