I upgraded to Nextcloud 15 using the beta channel. I am running this on a Raspberry Pi with Apache. For whatever reason whenever I am trying to login with administrator ID post the upgrade it says " Could not load at least one of your enabled two-factor auth methods. Please contact your admin.". Now this is for the only administrator account for the installation.
is there a way I can disable two factor authentication on the installation using occ (as I read on few threads). Can someone please help me with this. Iâm unable to make any changes on the system.
Assuming you have the app âtwofactor_totpâ enabled and this is causing the issue, you could run the following command to disable it: sudo -u www-data php /path/to/nextcloud/occ app:disable twofactor_totp
If it is not that app causing the issue, use the following command to list all apps and find the twofactor app you are really using: sudo -u www-data php /path/to/nextcloud/occ app:list
What you could check before all that, is the system time of your raspi. TOTP methods need a correct system time to work. I had an issue once, where my system time wasnât correctly synced with time servers and authentication failed.
Edit: Oh, you could also simple disable two-factor-authentication for your user: sudo -u www-data php /path/to/nextcloud/occ twofactorauth:disable USERNAME
Iâve tried: sudo -u www-data php occ twofactorauth:enforce
to which I get: Two-factor authentication is not enforced
With nothing working out, I elevated a user to admin group and now creating a new user.
Anyway / any logs that can help me identify what went wrong? As the new user in administrator group isnât getting 2FA requirement. Also, Iâve excluded all groups on the deployment from 2FA enforcement.
Finally I removed the notification app for 2FA.
I will get back once I have a dedicated administrator account in place.
So app:disable twofactorauth didnât help at all? I was expecting that you could login with username and password only - without any twofactorauth methods at all.
Which two-factor authentications have a setup before?
What is the output of the following? sudo -u www-data php occ app:list | grep twofactor
I am sorry, twofactorauth:disable is what I tried and it did not work. Let me try the command you stated. I disabled the user and I can re-enable and try it.
also here are two previous outputs which may help:
Just to add: I personally feel this was the issue: twofactor_nextcloud_notification as it was the only one that matches ânotificationâ part of the error.
I ran into the nearly same problem. I think it has to do with an activated 2FA via the totp-app in nextcloud 14, which is not updated yet for nextcloud 15. during the installation process the app twofactor_totp has been disabled due to the incompatibility. and no other 2FA option is available now.
Iâm going to add what helped me just in case someone needs it.
I elevated an existing user to admin group, logged in with the newly elevated user and disabled the original master administrator. I created a new user and it never had the issue of 2FA forced lockout.
If thereâs a way to collect debug log just to ensure this isnât a bug, Iâd love to find out and send the logs.
I have 2 repeating error entries. 1 two-factor auth providers failed to load and 2. two-factor auth provider âtwofactor_nextcloud_notificationâ failed to load
Raw logs entries are as below.
{"reqId":"XBZm338AAQEAAAbsxgMAAAAH","level":3,"time":"2018-12-16T14:53:19+00:00","remoteAddr":"redactedIP","user":"redactedusername","app":"core","method":"GET","url":"/index.php/login/selectchallenge","message":"1 two-factor auth providers failed to load","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 OPR/57.0.3098.102","version":"15.0.0.10","id":"5c16ad61a3c49"}
{"reqId":"XBZnCn8AAQEAAAbsxggAAAAH","level":3,"time":"2018-12-16T14:54:02+00:00","remoteAddr":"redacted IP","user":"redacted username","app":"core","method":"GET","url":"/index.php/login/selectchallenge?redirect_url=/index.php/apps/files/","message":"two-factor auth provider 'twofactor_nextcloud_notification' failed to load","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 OPR/57.0.3098.102","version":"15.0.0.10","id":"5c16ad61a3bc1"}
Since Nextcloud 14 the server keeps track of which provider are enabled/disabled. This improves the login performance and also is more resistant to provider apps failing to load. In the latter case older Nextclouds would still let you log in, but this might not be desirable if the failure to load is caused by a bug or an attacker. Hence Nextcloud now blocks access if it knows that a provider (totp, u2f, notifcations or any other) was active before but canât be loaded. This is not a bug
You can disabled some but not all 2FA providers via the CLI. From Nextcloud 14 to 15 that changed as in that you now have to specify which provider you want to have disabled. Alternatively, the https://apps.nextcloud.com/apps/twofactor_admin app can help gain access on locked accounts. Note that there are some unresolved issues with recent versions of MariaDB though.
Thanks for your solution. I want to add a footnote.
For me, php occ app:update --all did not seem to update any extensions at all.
I had to specifically upgrade two factor auth by using php occ app:update twofactor_totp. Then enabling it works again.
P.S.: I am using the nextcloud:latest docker image.
