OpenOTP is generally working very well, but....

🏷️ General
, ,
1

I have no support/technical question and have seen the support category. (Be aware that direct support questions will be deleted.)

no

Which general topic do you have

I am currently experimenting with the OpenOTP suite from RCDevs Security in my home lab environment. My existing infrastructure includes an OpenLDAP server that I use for Nextcloud. However, I am also exploring the functionalities of OpenOTP and WebADM for other projects.

Nextcloud Integration

One of the features of OpenOTP is its integration with Nextcloud through the nextcloud app OpenOTP Auth - Apps - App Store - Nextcloud. This is a dedicated OpenOTP app for multi-factor authentication (MFA) designed for Nextcloud, which I decided to test. The integration works quite well overall.

Observed Issues

Despite the successful integration, I encountered a minor issue during the enrollment of new apps and services, such as:

  • Nextcloud client
  • Nextcloud Talk
  • Passwords app
  • Other apps on new devices

Authentication Process
When attempting to grant access for a new device, the following steps occur:

  1. An authentication process is initiated.
  2. An app password (token) is generated upon successful authentication.
  3. This token is then deployed to the client app.

(The issue at glance) The process works seamlessly when using the Time-based One-Time Password (TOTP) method. However, I noticed that the push authentication feature does not function as expected when enrolling new devices or apps, though the exact reason remains unclear. I have a hunch though. Read on.

Redirect Delay

During normal session authentication, I observed a 2-second redirect delay. This delay occurs as the server performs checks related to device phishing and geolocation policies. Only after this period do users receive a success response along with a session cookie.

Mitigation

To work around the issue with push authentication, I recommend preemptively setting a new app password while logged in through a web browser. This is particularly useful if you prefer to use only TOTP for authentication and do not want to support both the HMAC-based One-Time Password (HOTP) and TOTP methods.

Conclusion

Overall, my experience with the OpenOTP suite has been positive, with the Nextcloud integration functioning effectively. The minor issue regarding push authentication is manageable with the outlined mitigation strategies.