Mandatory Configuration of Independent Application Passwords in Nextcloud Passwords App

Current Status

At present, the Nextcloud Passwords app allows users to create independent end-to-end application passwords. However, users are not compelled to set up these passwords, leaving potential vulnerabilities in the system.

Feature Description

For Administrators:
1.1 Access Nextcloud via the web.
1.2 Open “Settings” and navigate to “Administration” → “Security”.
1.3 There is a section for “Passwords” settings.
1.4 Under the “Passwords” settings, there is a checkbox for “Force enable end-to-end passwords”.
1.5 Under the “Passwords” settings, there is also an option to restrict to specific groups or exclude certain groups.

For Users:
When administrators check the “Force enable end-to-end passwords” checkbox, users accessing the “Passwords” app will encounter the following scenarios:
2.1 If a user has already set up an end-to-end password, they will log in normally without any changes.
2.2 If a user has not set up an end-to-end password, they will be prompted with a mandatory setup wizard.

Additional Context

Consider a scenario where a security-conscious user, U1, sets up an application password for the Passwords app. However, when U1 needs to share a password with another user, U2, who hasn’t configured an application password, security concerns arise. Without U2 having an application password, the risk of unauthorized access increases, especially if U2’s device is lost or stolen.

By making the configuration of independent application passwords mandatory, we can significantly enhance the security posture of Nextcloud installations and ensure the protection of sensitive information.

Looking forward to seeing this enhancement incorporated into future versions of the Nextcloud Passwords app.