Administrator account locked out Backup Codes not working

Hi, It seems that the last update killed my 2FA.

I’ve just tried to login with my Admin and I got this:

None Of my Backup Codes work. I do not have CLI access, just web and FTP / DB.

Any guidance on how to fix it ?

No Idea ?

Please help me I need to login using my Admin Account

I’m sure there’s a way to do this from the database - for instance, you could step through the PHP code and just do what it would do - but here’s a hack that I’d try if that’s outside your wheelhouse.

The recommended method
The only recommended way to disable it is using the relevant OCC command. In a typical Ubuntu environment, that would be run like this:
sudo -u www-data php /var/www/nextcloud/occ twofactorauth:disable <username> <authprovider>
That’s your best option for disabling it, if only you had shell access, so…

The hack
Upload a php or other cgi script that runs a given command for you when it is accessed as a web page. The usual (because they’re serious!) security caveats apply: don’t give it a guessable name, don’t include it for indexing, and most definitely do take it down as soon as you’ve accomplished the task at hand.
More in-depth ‘web shell’ scripts exist, but it’s far better to upload something with the exact command you know needs to be run, than to set a page that accepts arbitrary commands at any time. That applies even after you’ve got authentication on your web server.

Note that since the script will be running as the same user (likely www-data), and can be uploaded into the Nextcloud folder, you can skip the ‘sudo’ and also use a relative path to OCC. The command you’ll end up running using either of those scripts would instead simplify to something like this:
php ./occ twofactorauth:disable <username> <authprovider>

1 Like

@ANT_Cloud I had a similar issue, It tuns out the app was actually disabled even though it was asking for the code. Running sudo -u www-data php /var/www/nextcloud/occ app:enable twofactor_totp fixed the issue for me

1 Like

You could try to enable the twofactor_totp in the database. You can find it in the oc_appconfig table. Maybe setting twofactor_totp, enable to yes will get you somewhere.

Thanks Everybody I only had time today to look at this again and @budy 's solution was the one I’ve tried first and solve my issue as it was set to “no” (Enable). Thanks

Please regenerate and try again. If they still don’t work please report that to Thank you!

Thanks for the reminder.
re-generated the codes and tested one. It worked without a problem.

I must say my old backup codes were from 2016. Maybe that was a problem too

It shouldn’t be a problem unless you regenerated the codes in the meantime. When you do so it invalidates the previous ones.

Thanks for checking :v:

after update to Nextcloud (version’ => ' I switch 2FA on
At the next login as Admin i got:

Zwei-Faktor Authentifizierung
Es konnte nicht eine Deiner Zwei-Faktor-Authentifizierungsmethoden geladen werden. Kontaktiere den Administrator.
Die Zwei-Faktor-Authentifizierung wird erzwungen, wurde jedoch für Dein Konto nicht konfiguriert. Verwende einen Deiner Backup-Codes zum Anmelden, oder wende Dich für Unterstützung an Deinen Administrator.
Backup-Code benutzen

QUESTION: how can i get the Backup-Code?
Because i can`t login as admin.
It is possible to generate it in the CLI for admin? When yes how? :slight_smile:

sudo -u www-data php occ twofactorauth:admin:generate-code admin

There are no commands defined in the “twofactorauth:admin” namespace.
Did you mean this?

Two-factor authentication is enabled for user admin
Enabled providers:

  • backup_codes
  • totp
    Disabled providers:
  • u2f

but : backup_codes is not installed
No such app enabled: twofactor_totp


Did you try this?

look like i was facing the same issue.
for me I active it from Web Interface and totp or u2f not installed just backup_codes.
i disable it by remove the group from config.php
Best Regards

Hi Guys,

you can edit field “enabled” in oc_twofactor_providers table. I’ve set backup codes for admin user to “0” and it now asks for TOTP and was able to log into the admin account, so this one worked for me.

All the best