Login to nextcloud via 2-factor auth (totp) issue

I have nextcloud 17 on ubuntu lxd i use to login with 2-factor-auth (totp).
i restore app on other mobil then try to login and write the number from app. but nextcloud not accept the number and withou any error message clear the screen and wait for authenticate app.
i don’t have a backup code from this user and i cant delete the user.How to resolve this issue?
i can login to admin. but i don’t stop authenticate for all. is it some command to disable 2-fact-auth for only one user and enable it after login?

You can install the Two-Factor Admin Support app. This will let the admin generate a one time code for a user so they can get in and fix their authenticator without needing to turn TOTP off.

You can install the Impersonate app, login as administrator, switch to the user account and fix the problem for the user.

1 Like

@KarlF12: There is no app with two-factor admin support for android. i can’t find it.
@j-ed no impersonate app and i can login as admin to nextcloud.
Is it any way to disable two-fact-auth only for a user from admin? or if i do it then it will be disabled for all users? i f i do it for all users and login then enable for all users what will happen for all users?

The usage of the word “app” isn’t always related to Android or any other mobile device. It is also used for all optional components of Nextcloud. You will find the two-factor admin support app and also the impersonate app in the Nextcloud app store :wink:

What is the problem with the app, aren’t you able to install it as an administrator?

You can use the occ tool to disable the function for a user:

> ./occ twofactorauth:disable --help
Description:
  Disable two-factor authentication for a user

Usage:
  twofactorauth:disable [options] [--] <uid> <provider_id>

Arguments:
  uid
  provider_id

Options:
      --output[=OUTPUT]  Output format (plain, json or json_pretty, default is plain) [default: "plain"]
  -h, --help             Display this help message
  -q, --quiet            Do not output any message
  -V, --version          Display this application version
      --ansi             Force ANSI output
      --no-ansi          Disable ANSI output
  -n, --no-interaction   Do not ask any interactive question
      --no-warnings      Skip global warnings, show command output only
  -v|vv|vvv, --verbose   Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

It’s more secure to use two-factor admin support because then the account isn’t left with 2FA disabled for any length of time.

1 Like

I install two-factor Admin Support as admin in nextcloud. How to generate a code for a user?
Is there any documentation for how to do that? Thanks

sorry it’s not installed. i can’t because of it’s depend slite or mysql as database. i install on postgresql.

1 Like

You need to open a shell, navigate to the Nextcloud document root and execute:

./occ twofactorauth:admin:generate-code <uid>

is uid the username login?

Yes, I think so - give it a try :wink:

I’ve just seen that you can also navigate to Settings > Maintenance > Security and set a one-time-code for a user using the GUI:

i try:
sudo -u www-data php occ twofactorauth:admin:generate-code “username”
error:


There are no commands defined in the “twofactorauth:admin” namespace.

Did you mean this?
twofactorauth


when i just run:
sudo -u www-data php occ twofactorauth
Command “twofactorauth” is not defined.

Did you mean one of these?
twofactorauth:cleanup
twofactorauth:disable
twofactorauth:enable
twofactorauth:enforce
twofactorauth:state


ok i install impersonate app and login as user. Then i disable and enable totp app. it’s ok now.
it’s easy from gui. But i want to see how i can generate a one code from command line. and use it.
possibility from ./occ twofaactorauth is state enforce,…, not generate-code.

You need to install and activate the Two-Factor Admin Support app first, before you can access its functions on the console or by using the its gui function. It seems that you haven’t done this yet, because otherwise you should see the occ option twofactorauth:admin:generate-code.