2FA renewal for larger groups really necessary

While testing NC we found that it is not possible for users to renew or replace their 2FA key. Basically a common feature on all major sites that require some kind of login.

There seem to be ways to achieve this via the Linux command line, but that’s not a practical solution for a larger userbase.

2FA is so important these days and users are loosing keys or their smartphone with the 2FA keys on them.

Nextcloud has left the hackers niche a longtime already. There should be a security feature to allow users to replace their 2FA key on their own.

I this regard the common advice of Ionos (a big European hosting company) is to deactivate 2FA completely once a key has been lost, or to save recovery keys. That’s not very convenient and might lead to reduced security.

That’s actually possible. With 2FA WebAuthn (Hardware Security Keys), they can remove the current security key and add a new one, or even add additional/multiple security keys.

With TOTP they have to remove the existing TOTP-key and then set up TOTP again.

Yes, replacing a hardware security key, after they lost the original one, is actually not possible, but they can and should add multiple keys.

If they are using TOTP, they could use the backup codes that are generated during the TOTP setup process to login, and then set-up TOTP again with their new device/app. Alternatively, they could have backed up the TOTP key/QR code during the TOTP setup process.

Yes, but in order for users to be able to add a new key themselves after losing their original key, you would have to offer them an alternative login method without 2FA or with a weaker 2FA solution such as email, SMS etc, which in turn would weaken security for all accounts on your instance.

Convenience is the enemy of security. Simply enforce 2FA for all your users and tell them to keep their TOTP backup codes or add multiple hardware security keys.

Thanks for your reply. Unfortunately not all users are so tech-savvy in a real world scenario. We could ask them to produce and keep security codes but some might forget to do so. And is there any guarantee these backup codes are stored safely?

Therefore I am suggesting to the developers to implement a user-friendly mechanism like many of the big sites (like PayPal or Google) that allows to produce a new key easily. There are many great examples out there.

And how exactley did they implement that?

For Google Workspace, it looks like they are suggesting exactly the same things as I did: Recover an account protected by 2-Step Verification - Google Workspace Admin Help

And for normal Google Accounts I found this: Sign in if you lost your security key - Google Account Help

If you don’t have another second step or forgot your password

Note: 2-Step Verification requires an extra step to prove you own an account. Because of this added security, it can take up to 3-5 business days for Google to make sure it’s you trying to sign in.

Doesn’t sound very convenient to me :wink:

And again, if they were to simply send you an automated email to restore an account that has 2FA enabled, or just ask for the password without any additional verification, it would completely defeat the purpose of 2FA, and you could as well not use it at all.