Allow U2F 2FA when TOTP is disabled

[rugk]

Similar to GitLab you seem to require TOTOP 2FA to be setup before I can enable U2F.

Obviously this is a silly requirement, as I should be able to enable what I want and there is no reason to force TOTP to be enabled. Obviously it should still enable the recovery password (you seem to call it "one-time password").

See e.g. how any other website does it.

[lafriks]

Yeah it's kind of for historical reasons but I agree this can be improved

[jonasfranz]

There are reasons to force you to enable TOTP since many devices do not support U2F 2FA (iOS, IE, Edge, etc. etc.). This protects you from locking yourself out from your account.

[rugk]

Hu? You cannot enable U2F 2FA (or, you, at least, should not be able to) if the browser does not support it. Then you can't be locked out from your account.

Generally said, of course, if enabling a 2FA method fails, it should obviously cancel all that whole thing and not force it on the next login.

[tankerkiller125]

@rugk let's say I setup my account through chrome on the desktop and I suddenly have a need to login on a mobile device for some reason, how am I supposed to to get into my account without TOTP since my mobile device doesn't support U2F? By forcing TOTP first this issue is completely resolved and system admins won't have employees calling them about something that's basically a stupid issue.

[rugk]

Okay, I get it. It's about cross-browser/device login…

Obviously as a user you would (have to) know what method you can use where and how.
In the same way, you can also just set it up on a mobile phone and then forget that you need your mobile phone for login on a desktop.
Or that you sign-up to a service on one device, save it in a password manager/browser and then cannot sign up on another one. (that is equivalent to 2FA issues…)
Or that you have two mobile phones and added it the TOTP code on one phone only, so you cannot login when you use the other phone.

It has to be obvious (and I think it is) that all these examples do not work and you blame yourself as a user if you forget your 2FA phone or so.
It's obviously the same if use an U2F key and I guess it is quite obvious to the user that they cannot plug that into their phone (without an adapter 😉). But, of course, you can use U2F keys on phones too, if your phone and the key has NFC.
So actually you are assuming a very tight scenario you are trying to protect the user that may not really apply (NFC) and may not really an issue the users really ran into. (As said, I'd say you can assume they are "intelligent" enough to get that you cannot login with an USB key on your phone if it's not compatible, i.e. NFC.)

Also U2F key 2FA is obviously more secure than just TOTP (e.g. against phishing), so I as a user may choose to deliberately only enable U2F, not TOTP.

And as you can see no other service (except of Gitlab, but they also want to change it: https://gitlab.com/gitlab-org/gitlab-ce/issues/48918) forces TOTP for U2F activation. And I'd say many people on GitHub etc. thought about the whole thing in detail.

If you want, you may just add a note/warning when enabling U2F that this cannot be used on some browsers/devices or so, but users may already know this anyway…

[tankerkiller125]

@rugk don't get me wrong I think 99% of developers using this understand how all of this works however theirs always some companies that let marketing, sales or other groups use a login and those groups unfortunately (at least in my experience) lack the skill or thought process required to understand that something might not work across all devices.

[jonasfranz]

@rugk GitHub also forces TOTP if you want to use U2F.

[rugk]

@JonasFranzDEV Really? That would be stupid, too. Cannot test it, however…

[roschler]

Adding my vote for the ability to use U2F without requiring a phone.

[voretaq7]

U2F without TOTP is eminently reasonable: These are two separate technologies, there is no reason to force one to enable the other. (Everyone thinks it would be unreasonable to require U2F to enable TOTP, right?)

Plus it maps to my org's use pattern better: Your SSH key is on your YubiKey, it's logical that your YubiKey is also the thing you need to use to access the web UI.

#11573 seems like a reasonable patch to me (needs some polish detecting 2FA is enabled if the user is U2F only which is ongoing).