Nextcloud 19 canot properly disable 2FA

ℹ️ Support
,
1

Nextcloud version (eg, 18.0.2): 19.0.1
Operating system and version (eg, Ubuntu 20.04):Lapine Linux Docker
Apache or nginx version (eg, Apache 2.4.25): offical docker image
PHP version (eg, 7.1): official docker image

The issue you are facing: Cannot properly disable 2FA fully for user. Usually an annoying issue. Together with LDAP it seems to break sessions every cronjob run.

Additional issues noticed: 2FA backup codes can be enabled on fresh LDAP accounts but are never used. When linking an existing account to LDAP (via manually mapping in database) you get an account, where you cannot fully disable 2FA and it logs you out of most sessions every cron job run.

Is this the first time you’ve seen this error? (Y/N):Y

Steps to replicate it:
Actually not so sure.

  1. enable 2fa on user (backup codes)
  2. try to remove 2fa. Does not work in UI, try occ twofactorauth:cleanup backup_codes
  3. occ twofactorauth:state user shows no more backup codes.
  4. either wait for cronjob or reload the security settings page
  5. backup codes is reenabled again, see occ twofactorauth:state user.

The output of your Nextcloud log in Admin > Logging:
No logs.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'datadirectory' => '/var/www/data',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => '',
  'passwordsalt' => '',
  'secret' => '',
  'trusted_domains' => 
  array (
    0 => '',
  ),
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'redis',
    'port' => 6379,
  ),
  'config_is_read_only' => false,
  'dbtype' => 'mysql',
  'version' => '19.0.1.1',
  'dbname' => 'nextcloud',
  'dbhost' => 'mariadb',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mail_from_address' => 'administrator',
  'logtimezone' => 'Europe/Berlin',
  'logdateformat' => 'Y-m-d H:i:s',
  'lost_password_link' => 'disabled',
  'dbuser' => 'oc_admin',
  'dbpassword' => '',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtpauthtype' => 'PLAIN',
  'maintenance' => false,
  'loglevel' => 2,
  'logfile' => 'owncloud.log',
  'updater.release.channel' => 'stable',
  'theme' => '',
  'trusted_proxies' => 
  array (
    0 => '10.2.0.0/16',
  ),
  'overwriteprotocol' => 'https',
  'mail_domain' => '',
  'mail_smtphost' => '',
  'mail_smtpport' => '587',
  'overwrite.cli.url' => '',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpauth' => 1,
  'mail_smtpname' => ',
  'mail_smtppassword' => '',
  'mail_smtpsecure' => 'tls',
  'app_install_overwrite' => 
  array (
    0 => 'twofactor_yubikey',
    1 => 'twofactor_webauthn',
  ),
  'mysql.utf8mb4' => true,
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' => 
  array (
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
);