Administrator account locked out due to 2FA enforcement

I upgraded to Nextcloud 15 using the beta channel. I am running this on a Raspberry Pi with Apache. For whatever reason whenever I am trying to login with administrator ID post the upgrade it says " Could not load at least one of your enabled two-factor auth methods. Please contact your admin.". Now this is for the only administrator account for the installation.

is there a way I can disable two factor authentication on the installation using occ (as I read on few threads). Can someone please help me with this. I’m unable to make any changes on the system.

Hi,

Assuming you have the app “twofactor_totp” enabled and this is causing the issue, you could run the following command to disable it:
sudo -u www-data php /path/to/nextcloud/occ app:disable twofactor_totp

If it is not that app causing the issue, use the following command to list all apps and find the twofactor app you are really using:
sudo -u www-data php /path/to/nextcloud/occ app:list

What you could check before all that, is the system time of your raspi. TOTP methods need a correct system time to work. I had an issue once, where my system time wasn’t correctly synced with time servers and authentication failed.

Edit: Oh, you could also simple disable two-factor-authentication for your user:
sudo -u www-data php /path/to/nextcloud/occ twofactorauth:disable USERNAME

Thank you very much for your quick reply. I tried the following:

`sudo -u www-data php occ twofactorauth:disable

sudo -u www-data php occ twofactorauth:state adminuser
Two-factor authentication is enabled for user adminuser

Enabled providers:
- twofactor_nextcloud_notification
Disabled providers:
- backup_codes
- gateway_signal
- gateway_sms
- gateway_telegram
- totp
- u2f
- yubiotp`

sudo -u www-data php occ twofactorauth:disable adminuser

To which I get

Not enough arguments (missing: "provider_id").

I’ve tried: sudo -u www-data php occ twofactorauth:enforce
to which I get:
Two-factor authentication is not enforced

With nothing working out, I elevated a user to admin group and now creating a new user.

Anyway / any logs that can help me identify what went wrong? As the new user in administrator group isn’t getting 2FA requirement. Also, I’ve excluded all groups on the deployment from 2FA enforcement.

Finally I removed the notification app for 2FA.

I will get back once I have a dedicated administrator account in place.

So app:disable twofactorauth didn’t help at all? I was expecting that you could login with username and password only - without any twofactorauth methods at all.

Which two-factor authentications have a setup before?

What is the output of the following?
sudo -u www-data php occ app:list | grep twofactor

I am sorry, twofactorauth:disable is what I tried and it did not work. Let me try the command you stated. I disabled the user and I can re-enable and try it.

also here are two previous outputs which may help:

    sudo -u www-data php occ app:list
Enabled:
  - activity: 2.8.2
  - bookmarks: 0.14.3
  - calendar: 1.6.4
  - cloud_federation_api: 0.1.0
  - dav: 1.8.0
  - federatedfilesharing: 1.5.0
  - federation: 1.5.0
  - files: 1.10.0
  - files_sharing: 1.7.0
  - files_texteditor: 2.7.0
  - files_trashbin: 1.5.0
  - files_versions: 1.8.0
  - gallery: 18.2.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.3.0
  - mail: 0.11.0
  - nextcloud_announcements: 1.4.0
  - notes: 2.5.1
  - notifications: 2.3.0
  - oauth2: 1.3.0
  - password_policy: 1.5.0
  - provisioning_api: 1.5.0
  - serverinfo: 1.5.0
  - sharebymail: 1.5.0
  - support: 1.0.0
  - systemtags: 1.5.0
  - theming: 1.6.0
  - twofactor_backupcodes: 1.4.1
  - updatenotification: 1.5.0
  - workflowengine: 1.5.0
Disabled:
  - accessibility
  - admin_audit
  - comments
  - encryption
  - end_to_end_encryption
  - files_external
  - files_pdfviewer
  - files_videoplayer
  - firstrunwizard
  - limit_login_to_ip
  - survey_client
  - twofactor_gateway
  - twofactor_nextcloud_notification
  - twofactor_totp
  - twofactor_u2f
  - twofactor_yubikey
  - user_external
  - user_ldap

sudo -u www-data php occ app:list | grep twofacto

  - twofactor_backupcodes: 1.4.1
  - twofactor_gateway
  - twofactor_totp
  - twofactor_u2f
  - twofactor_yubikey

Just to add: I personally feel this was the issue: twofactor_nextcloud_notification as it was the only one that matches “notification” part of the error.

sudo -u www-data php occ app:disable twofactorauth

No such app enabled: twofactorauth

even though the output of your command wasn’t doing any changes and with

sudo -u www-data php occ twofactorauth:enforce --off
Two-factor authentication is not enforced

I am still getting the following error for the original administrator user:

What a strange behavior :open_mouth:
Can you run:
sudo -u www-data php occ app:disable oauth2

at last? Maybe restart apache once as well.

OAuth can’t be disabled.

I have restarted apache2 service post changing the settings.

So which method worked before?

Hi

I ran into the nearly same problem. I think it has to do with an activated 2FA via the totp-app in nextcloud 14, which is not updated yet for nextcloud 15. during the installation process the app twofactor_totp has been disabled due to the incompatibility. and no other 2FA option is available now.

I got a solution which worked for me:

sudo -u www-data php occ app:update --all
(new version of twofactor_totp will be installed)

sudo -u www-data php occ app:enable twofactor_totp

after that I can login with 2FA again.

6 Likes

Perhaps something to report to the developers that they make sure you are not locked out…
@ChristophWurst

I’m going to add what helped me just in case someone needs it. :slight_smile:

I elevated an existing user to admin group, logged in with the newly elevated user and disabled the original master administrator. I created a new user and it never had the issue of 2FA forced lockout.

If there’s a way to collect debug log just to ensure this isn’t a bug, I’d love to find out and send the logs.

Thank you.

1 Like

Perfect, so there are two possible solutions now :slight_smile:

If it helps finding the bug: my log shows these two lines for several times:

[core] Error: two-factor auth provider ‘totp’ failed to load
[core] Error: 1 two-factor auth providers failed to load

I have 2 repeating error entries. 1 two-factor auth providers failed to load and 2. two-factor auth provider ‘twofactor_nextcloud_notification’ failed to load

Raw logs entries are as below.

{"reqId":"XBZm338AAQEAAAbsxgMAAAAH","level":3,"time":"2018-12-16T14:53:19+00:00","remoteAddr":"redactedIP","user":"redactedusername","app":"core","method":"GET","url":"/index.php/login/selectchallenge","message":"1 two-factor auth providers failed to load","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 OPR/57.0.3098.102","version":"15.0.0.10","id":"5c16ad61a3c49"}


{"reqId":"XBZnCn8AAQEAAAbsxggAAAAH","level":3,"time":"2018-12-16T14:54:02+00:00","remoteAddr":"redacted IP","user":"redacted username","app":"core","method":"GET","url":"/index.php/login/selectchallenge?redirect_url=/index.php/apps/files/","message":"two-factor auth provider 'twofactor_nextcloud_notification' failed to load","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 OPR/57.0.3098.102","version":"15.0.0.10","id":"5c16ad61a3bc1"}

Thanks @tflidd

Since Nextcloud 14 the server keeps track of which provider are enabled/disabled. This improves the login performance and also is more resistant to provider apps failing to load. In the latter case older Nextclouds would still let you log in, but this might not be desirable if the failure to load is caused by a bug or an attacker. Hence Nextcloud now blocks access if it knows that a provider (totp, u2f, notifcations or any other) was active before but can’t be loaded. This is not a bug :wink:

You can disabled some but not all 2FA providers via the CLI. From Nextcloud 14 to 15 that changed as in that you now have to specify which provider you want to have disabled. Alternatively, the https://apps.nextcloud.com/apps/twofactor_admin app can help gain access on locked accounts. Note that there are some unresolved issues with recent versions of MariaDB though.

Thanks for your solution. I want to add a footnote.

For me, php occ app:update --all did not seem to update any extensions at all.
I had to specifically upgrade two factor auth by using php occ app:update twofactor_totp. Then enabling it works again.

P.S.: I am using the nextcloud:latest docker image.

1 Like

This topic was automatically closed after 7 days. New replies are no longer allowed.