Add info about FIDO2/WebAuthn

docs/model-fido2.md

@@ -0,0 +1,15 @@
+## How is UV handled in mailcow?
+
+The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey).
+
+## Login and key processing
+
+mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory.
+
+A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login.
+
+When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory.
+
+## Who can use WebAuthn to login to mailcow?
+
+As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2.

mkdocs.yml

@@ -44,6 +44,7 @@ nav:
   - 'Sender and receiver model': 'model-sender_rcv.md'
   - 'ACL': 'model-acl.md'
   - 'Password hashing': 'model-passwd.md'
+  - 'WebAuthn / FIDO2': 'model-fido2.md'
 - 'Debugging & Troubleshooting':
     - 'Introduction': debug.md
     - 'Logs': 'debug-logs.md'