2FA not workimg any longer

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:


Or for longer, use three backticks above and below the code snippet:


Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 12.0.2): 13.0.5
Operating system and version (eg, Ubuntu 17.04): FreeBSD 11.2
Apache or nginx version (eg, Apache 2.4.25): 2.4.34
PHP version (eg, 7.1): 7.2.8

The issue you are facing:
2FA enabled, but users can login without

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. have your phone with 2FA app stolen
  2. disable 2FA with sudo -u www php occ twofactorauth:disable $user
  3. disable 2FA in user’s settings
  4. enable 2FA with sudo -u www php occ twofactorauth:enable $user
  5. enable 2FA in user’s settings, scan QR code with new 2FA phone app
  6. log off and log on as $user

The output of your Nextcloud log in Admin > Logging:

There is no Admin > Logging menu entry

The output of your config.php file in `/path/to/nextcloud` (make sure you remove any identifiable information!):
$CONFIG = array (
  'instanceid' => 'foobar',
  'passwordsalt' => 'abc123',
  'secret' => '123456',
  'trusted_domains' =>
  array (
    0 => 'daisy.home.net',
  'datadirectory' => '/usr/local/www/nextcloud/data',
  'overwrite.cli.url' => 'https://daisy.home.net/cloud',
  'dbtype' => 'mysql',
  'version' => '',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'secret',
  'installed' => true,
  'mail_from_address' => 'nextcloud',
  'mail_smtpmode' => 'php',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_domain' => 'home.net',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'maintenance' => false,
  'loglevel' => 2,
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/usr/local/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => true,
    1 =>
    array (
      'path' => '/usr/local/www/nextcloud/apps-pkg',
      'url' => '/apps-pkg',
      'writable' => false,
  'theme' => '',

The output of your Apache/nginx/system log in /var/log/____:
no error to see here

On your 5 step are you sure that you validate the Qrcode ?

When you scan it, under it it ask you a 6-digit code to validate it. If you don’t do it, 2FA won’t work on this user account

Wouldn’t it be easier to log in with the backup codes provided during 2FA setup and then setting up a new 2FA device?