Nextcloud: PIN for passwordless WebAuthn is asked for but not verified

ID H1:924393
Type hackerone
Reporter dschuermann
Modified 2020-10-28T09:19:31


Nextcloud introduced WebAuthn passwordless authentication with version 19. As far as we understand, you assume that your implementation provide two-factor authentication:

"The server asking for authentication can request verification of multiple factors, so that a configured key requires the user to not just plug it in but also enter a PIN or scan a finger print." (see )

We found the same issue like in Microsoft’s implementation: userVerification is not set and the UV flag is not checked on the server. Thus, even though a FIDO2 key with a PIN is added in a user account, the PIN is not required to log in.

The full description is available in our unlisted blog post at:


We have a nice video in our blog post:

An attacker could log into the victims account without a PIN by sneaking up on the victim and using the security hardware over NFC.