2FA delayed activation for new users in config.php

ℹ️ Support
,
1

Hi @all,

we recently forced 2FA via TOTP for all of our users . The users should use their work mobile phone and the provided authenticator app doing so.

Sometimes we cannot provide a work mobile on time or the user is overwhelmed by all of the configuration they have to do on their first day.

So we came up with the idea to provide a little bit of convenience and disable 2FA for their first week.

After a bit of research I asked chatgpt for a solution and it came up with the suggestion to modify nextclouds config.php file like this:

‘twofactor_enforced_on_groups’ => [‘’],
‘twofactor_enforced_on_all_users’
‘twofactor_grace_period’ => 604800,

Then I wanted to get further information about the ‘twofactor_grace_period’ parameter mentioned by chatgpt but could not find any information about it in the nexcloud documentary.

Does anyone know about this parameter or where it is documented ?

Or does anyone have another idea how to realise such a delayed 2FA activation ?

2

I have not found the parameter at GitHub for Nextcloud. Maybe your KI is wrong.

But maybe you can use two additional groups “no2faeven” and “no2faodd” for no 2FA for even and odd weeks.

  • allow once the groups to not use 2FA in your 2FA Nextcloud settings
  • on even weeks delete on monday morning all users from no2faeven
  • on odd weeks delete on monday morning all users from no2faodd
  • in even weeks add new uses to no2faeven
  • in odd weeks add new users to no2faodd

Then every user get min one week and max two weeks of no 2FA. Two groups seems to be useful that someone who joins on friday afternoon can use no 2FA for one week.

Hopefully it works with

 group:adduser                       add a user to a group
 group:removeuser                    remove a user from a group
 group:list                          list configured groups

documentation

3

Yes, the KI was wrong. When I asked it for further information about the parameter it admitted that it was a hypothetical designation. :see_no_evil: sry for not double checking in advance.

Thanks for your suggestion with the two groups.
I will check in which way we can implement such a system and hwo to automate it.

4

That is a very bad choice!
Chat GPT is prone to hallucinations.

One should always read the manual first and if that does not answer your question, than you should read the code. :thinking::wink:

5

@ernolf Yes, you are absolutely right. Usually I use ChatGPT just as another vector to find information or to give me a thought provoking impulse.
But one has to realise that it is not yet a StarTrek like ship computer :sweat_smile:

However…we came up with a solution for this case. This one will work in a Microsoft environment where you use LDAP to synchronise your Active Directory Users with your Nextcloud

We use an Active Directory Feature called “Privileged Access Management Feature”. It allows you to create a time-based membership in AD-groups.
Once per day a powershell script will put all new created AD-users in a certain AD-group for a certain amount of time. All members of this group will be excluded from the forced 2FA.

1 Like