Dont use 2FA from local LAN or specified networks

Hi there,

is there a way to not use 2FA from local network or specified IP addresses?
I like to just use normal login from e.g. local lan (or specified external IP addresses), but will have 2FA enabled from outside from all other places.
I’m using nc 20.0.5

I think it’s not possible. I know especially when you setup new system and login multiple times, using different users, for testing and so on… 2FA might be annoying but this usually not the case for daily operations… In general 2FA is not as disturbing as it seems to - once you whitelist your NC domain and your browser keeps the session cookie you remain logged in for ages… and if you get new device it’s not hard to follow 2FA login once (per app) - and I bet you appreciate this extra security layer as well…

Ok, thanks for the answer. It’s not annoying…maybe more laziness on my part :wink:

Hi @newbie75

I found manually entering the TOTP code every time I wanted to login kind of annoying. Then at some point I ordered two YubiKeys and set up U2F. Now entering the second factor is just one button press on the YubyKey. Of course this has the disadvantage that if you don’t have your YubiKey with you, then you can’t log in. But since I mainly need Nextcloud as a backend for the Android app and for syncing my calendar when I’m on the road, that’s not really an issue. And if you always have the second YubiKey on your keychain, it’s a non-issue anyways.

1 Like

Can you please elaborate. Whitelist how/where? Which domain, local server domain? Thanks

in your browser. successful authentication results in some cookies placed on the system. this cookies allow yo you to access Nextcloud (or any other service) within cookie lifetime.

You should familiarize yourself with some very basic concepts of web application before you start hosting somewhat complex software like Nextcloud…

Yes, I think having an option to not force 2FA from specific IPs or local network work be awesome. Currently O365 has this option under their conditional access rules. I don’t see a reason to enforce 2fa under your local network. Since users are on a secure network no need to force 2fa but if they login outside of the network then enforce it

Also seems like a lot of users are asking for it

That is not fully true. With malware on the client the hacker can use the local client like an external client.

A browser is stateless instead a fully Nextcloud client. With 2FA you get a massive security improvement.

I second that. Yes, excluding local networks from 2FA is common and desirable - most all commercial enterprise apps have that option now. If your local network is correctly secured, then being on it serves as the second factor. The major threat is from the Internet (if they are inside and logged into your local network, you got much bigger problems). We want to make our users happy and productive, so the easier we can make it for them, the better.

Yes i think you are right.
@kentravis @newbie75
Maybe someone can write for the app Two-Factor TOTP Provider an issue here.

Where we are at:
Couldn’t you do without the password when logging in via 2FA? I would find that practical.