I just installed 10.0RC1 of nextcloud and I am happy so far but cannot find any way to enable 2fa. Where can I find the setting to do so? Are there any prerequisites I need to install before the menu point shows up? Thanks!
You need to install a 2FA app first
@ChristophWurst has some in his repos:
Thanks, didn’t see this is needed …
Installed the first one but getting errors:
include_once(): Failed opening ‘/var/www/owncloud/apps/twofactor_totp/appinfo/…/vendor/autoload.php’ for inclusion (include_path=’/var/www/owncloud/3rdparty/pear/console_getopt:/var/www/owncloud/3rdparty/pear/pear_exception:/var/www/owncloud/3rdparty/pear/pear-core-minimal/src:/var/www/owncloud/3rdparty/pear/archive_tar:/var/www/owncloud/3rdparty/phpseclib/phpseclib/phpseclib:/var/www/owncloud/lib/private:/var/www/owncloud/config:/var/www/owncloud/3rdparty:/var/www/owncloud/apps:.:/usr/share/php:/var/www/owncloud’) at /var/www/owncloud/apps/twofactor_totp/appinfo/app.php#24
Should I open an issue?
twofactor_totp.zip from https://github.com/ChristophWurst/twofactor_totp/releases
Ah, OK, thanks …
make inside the git repo)
@nickvergessen Is there a 2FA FAQ page or something that outlines the options? I was confused at first in thinking that I needed a separate server using the PrivacyIDEA 2FA solution. I would be happy to write it but can’t trace a branch in github, online or elsewhere. PrivacyIDEA seems quite robust and professional but for smaller teams I was hoping for a more simple app solution. @doits, can you please comment on your experience with the app?
Thanks nextclouders for all that you do.
Hi. I’m trying to enable 2FA but I must be missing something. I’ve upgraded to 10.0RC1 and I added the twofactor_totp app - how do I enable it or configure it. It doesn’t show up in any of the admin or other menus. OTOH I don’t get any errors in my nextcloud log either.
Where do I look next?
I simply unpacked the realesed version from https://github.com/ChristophWurst/twofactor_totp/releases into my
apps/ directory of nextcloud.
After enabling the app
Two Factor TOTP Provider I can go to my personal settings and have an entry at the bottom of that page to enable TOTP. It showed a QR code which I canned in my OTP-program and now it generates the codes.
On login it asks me to authenticate with a second step. There I can select the TOTP-App and enter my one time codes. Suggestion: If there is only one second step app, there is no need for that page in between to select it (since I have no choice anyway). This would make the experience more seamless if only one second step authentication app is enabled.
My app passwords still do work, so this is fine.
That was it for me to make it work.
Thanks it’s working now. I removed it and re-installed it. Then it appeared on the app page and I was able to enable it.
Any idea how i can reset the 2fa for one user only (e.g. lost of smartphone).
I think there are console commands for this.
Yes. There are console commands:
$ php occ twofactor:disable admin
2FA disabled for user admin
$ php occ twofactor:enable admin
2FA enabled for user admin
Nextclouds 2FA is currently not documented very well … But you’ll find a lot of interesting information and guides about this feature on the developers (@ChristophWurst) blog:
It would be nice to have this integrated in NC’s user management.
Something is missing in the “documentation” : How can a user receive his TOTP secret again e.g. for adding an additional device.
Disabling and enabling TOTP in the user’s preferences will create a new TOTP secret.
TOTP 2FA is a separate community app, therefore it’s not documented in the Nextcloud documentation. However, feel free to contact me in https://github.com/ChristophWurst/twofactor_totp if you’d like to document the app. We’ll find a solution for it
Well, the authentication framework that the 2FA app uses is part of Next/Owncloud, so at least that part should be documented in the generic documentation. Like how after enabling an authentication app (be it 2FA or any other) the APIs (which ones?) can only be accessed with app passwords, whereas the webinterface can only be accessed using the mechamism implemented by the authentication app (2FA). And how password resets are handled in this context. And any other relevant generic behaviour.
Then the community app can document anything specific to that app. For 2FA it should probably tell a bit more about what happens to existing users when the admin enables the app.