I LOVE Nextcloud but I’m really getting frustrated with the official TOTP app. It seems like whenever I update, I get locked out, occ won’t work properly, and I end up having to go into the nextcloud database to disable so I can log in. And I can’t force 2FA because then new users can’t even log in the first time. I see a 2FA app in the app store (Two Factor e-mail provider) but it appears incompatible with NC16. Is there any chance of getting something like this to work with NC 15+? I see many many posts from individuals that are experiencing similar issues, I feel an email authenticator could resolve both issues. Thanks!
Getting token from an email is really a bad idea.
You shouldn’t implement that.
It’s the first thing hackers get access, your emails.
Better use FreeOTP app for the 2factor auth.
hi robertb,
Yeah, I do understand your frustration on getting the TOTP app to work. I’ve gone thru a difficult learning too, basically, Just make sure you got the 10 backup codes handy in case you are locked out by 2FA. And I find the occ cli tool a good way to perform reset of troubleshooting, some sample useful commands as following:
Preformatted text
root@hc1:/home/vincent# sudo -u www-data php /var/www/html/nextcloud/occ twofactorauth:state yenli
Two-factor authentication is not enabled for user yenli
Disabled providers:
- admin
- backup_codes
- totp
- u2f
root@hc1:/home/vincent# sudo -u www-data php /var/www/html/nextcloud/occ twofactorauth:state yenli
Two-factor authentication is not enabled for user yenli
Disabled providers:
-
admin
-
backup_codes
-
totp
-
u2f
root@hc1:/home/vincent# sudo -u www-data php /var/www/html/nextcloud/occ twofactor:cleanup email
You could selectively enforce that 2FA for a certain user group, or exclude them. I’m also using nc16.0.1, and I managed to setup 2FA for the admin user. More critical to secure the admin user.
Just my 2 cents.
Thanks both for insight/comments. I understand about the concern of email, I guess I’m just getting desperate. By “locked out”, I mean no option even to enter a code, no way to move forward. If I create a user account when 2FA is enforced, this is what my new user sees, a brick wall, not even a grace login (that would be ideal to allow a user to configure TOTP on first login).
Is it possible for me to edit this text to change “your admin” to an email address? I have no clue where to locate this file but at least it would give a user someone to contact to temporarily disable 2FA for the account.
Thanks!
Do I understand from github “2FA setup during login #15304” that a grace login or equivalent workaround could be available for NC17? If yes, then I will be patient and wait as that would be my preferred solution. Thanks as always to the people who do the heavy lifting.
This is one of those problems that has plagued security tools for decades. 2FA is a huge improvement on security for all users, whether using email, text, voice call, two cans and string, whatever. The attacker has to compromise 2 (two, as in 2FA) different systems to gain access.
Security professionals point out, quite rightly, that anyone with SS7 access can intercept SMS messages from anywhere in the world, thus all state-level and many well-financed criminal organizations can crack SMS 2FA codes if they already have your first factor. If you or your users are legitimate targets of people with millions of dollars to deploy on attacks, SMS is not for you.
Similarly, people have often pointed out that some email servers (STILL) do not use encrypted sessions to send email (and this isn’t enforced generally) and thus someone at the ISP level could be monitoring. The Thunderbird add-on “Paranoia” will provide a nice iconographic indicator per message as to whether the message got to you fully TLS encrypted or not. I find that the vast, vast majority of email I get arrived fully encrypted, including all gmail and all messages from my servers. The premise that mail is “unencrypted” is generally false and easily tested by a competent sysadmin. Sure, arp poisoning attacks can be used to downgrade transport, but such attacks are inside jobs. If you or your users might be compromised by such attacks, for example activists working in democracy challenged environments, email 2FA is not for you. Otherwise, it is probably fine.
The problem I have as an admin is that 2FA as implemented in core, without email as at least an enable-able option for time-limited 2FA codes (#17584) is simply unusable in practice for normal people. This is why every bank, every financial institution, every web service also implements backup 2FA by email and SMS. If this is too risky for you, don’t use it - you know who you are - if you don’t know, it isn’t a risk for you.
Don’t let the perfect be the enemy of the great. 2FA is great, even with email OTP. It isn’t perfect, even without email OTP.
The basic problem one runs into enabling 2FA as in core is that you can’t really avoid locking all of your users out permanently if they don’t happen to have an active session at transition. Quite an odd catch 22 to have made it through testing. (https://github.com/nextcloud/server/issues/17584)
If you can ask your users to enable 2FA one at a time and wait for them to get around it, add the plug-in https://apps.nextcloud.com/apps/twofactor_totp which allows users to activate 2FA per user (otherwise it is system-wide, everyone is locked out, sorry…) I like andOTP as a TOTP app, the QR code works great. Should be a tolerable slog to get working for most users.
You can also get around locking out all your users with a little one-on-one bonus hassle using https://apps.nextcloud.com/apps/twofactor_admin which allows an admin to generate a 2FA code for another user. How will you send it? Email, obviously… Tedious with a lot of users, and highly annoying to your users, but it works.
Once a path to enabling 2FA has been determined, unless you believe you or your users are the target of state-level surveillance who have dedicated resources to compromising your ISP in order to intercept your mail, https://apps.nextcloud.com/apps/twofactor_email solves the This Is Not The One True Correct Path To Security problem by adding a verified email address as a 2FA token delivery path. This is awesome and essential and brings NextCloud 2FA up to typical financial institution standards of security vs. convenience, but is post egg (or chicken… whichever) as users can’t sufficiently authenticate an email address to get the 2FA token until 2FA is enabled. DOH! (twofactor_TOTP user-driven conversion to 2FA works fine as long as they verify the email address in the same session as enabling 2FA).
I also dig https://apps.nextcloud.com/apps/twofactor_u2f, but my old YubiKey Standard (2014-2016) isn’t up to the task. I’m going to try a GoTrust Idem Key (FIDO U2F/FIDO2) and try the ISO 14443/Mifare/DESFire integration. They say they have FIPS 140-2L3 certification according to the site, but I haven’t seen the cert yet. Obviously this is about as high up the hassle:security ratio as you can possibly climb as you need to buy and carry around a physical artifact, but it is pretty nifty.
2 Likes