- Refining 2FA login flow (one click less on most-used device) · Issue #34403 · nextcloud/server · GitHub
- Refining 2FA login flow (remember browser/device trust upon logout) · Issue #34406 · nextcloud/server · GitHub
Context (from a Two Factor Email Maintainer)
Once the login flow is modified, I suggest that the 2FA flow itself is modified, too: What really disturbs me is the need to SELECT CHALLENGE. One shouldn’t have to. Either use the method used last time or let the user set a DEFAULT METHOD. Offer that right away and allow the user to CHANGE the method if she/he cannot use the default method for THIS particular login. That is what I see in GitHub, WordPress, etc. It eliminates one click for all users that do have more than one method set up (which is a good idea). Personally, I have a FIDO2 in my Laptop. But when I need to access a NC from another device, I use TOTP.
Is THIS the right place for that proposal or should it be a separate issue? I’m happy to create one and link it here…
To further streamline the login flow, there should be an option to log out without losing 2FA device trust, like Amazon does. They seem to have two tokens: One for the user login credentials (username/password) and one for the second factor (TOTP in that case). One may log out (e.g. to make sure no other family member uses it) without the need to re-enter the 2nd factor upon re-login. That is a strong use case I think, but surely wrong here. But it would be interesting to have the login flow source code above, to be able to modify it.