Single QR code in Nextcloud two-factor authentication

Hello. We can log in to the application with TOTP authentication. However, when the TOTP application is deleted from the phone, we do not see the QR code to receive the code again. When TOTP is reinstalled on the phone, it wants to read the QR code. But once the system logs in, it always asks for a verification code without sending the QR code.

Afaik, there’s no way to retrieve the QR-code, respectively the TOTP-key, once you finished setting up TOTP. However, there are multiple ways to prevent yourself from being locked out…

  • Generate and download the backup codes after you have set-up TOTP and store them at a secure location, i.e. in a password manager like KeePass. These codes can be used to log in without using the phone app.
    Bildschirmfoto vom 2023-10-19 09-52-37

    Once you logged-in by using a backup code you can generate a new TOTP-key / QR-code, and set-up the phone app again.

  • When setting up TOTP in Nextcloud, copy the TOTP-key and / or screenshot the QR-code and save them at a secure location. By doing so you could use the same key again, in case you have to re-install the phone app.

  • Use a phone app that supports backing up the TOTP-keys. I use Aegis Authenticator.

1 Like

Just in case this was not just a general question, but you or another user are currently in this situation, and you need to disable TOTP for that user. You can do so by using the following occ commad:

occ twofactorauth:disable <username> totp

After that the user should be able to log-in without TOTP, and can then generate a new TOTP-key.

1 Like

Ah and I forgot, there is also the twofactor_admin app which allows admins to generate a one-time code for users to log into a 2FA protected account.

This command is not working.“Command ‘occ’ not found, but there are 21 similar ones.” I’m getting an error like.

App “Two-Factor WebAuthn” cannot be installed because the following dependencies are not fulfilled: The library gmp is not available.

One of my users is locked out and cannot log in. How can I, as an admin, help him? These solutions did not work.

You have to run the command inside your Nextcloud directory as the http / webserver user.

Example command for Debian/Ubuntu based systems:

sudo -u www-data php /path/to/nextcloud/occ twofactorauth:disable <username> totp

Replace /path/to/nextcloud with the actual path to your nextcloud folder.

Looks like the corresponding PHP module is not installed, so you need to install it. The exact name of the package depends on the Linux distribution and the PHP version you are using.

Example command for Debian/Ubuntu based systems:

sudo apt install php-gmp

…or if you are using a specfic PHP version from a third party repo:

sudo apt install php8.2-gmp

Replace 8.2 with your actual version.

I am encountering these results. This application cannot be made passive.
root@cloudserver:/home/bayuserftp# sudo -u www-data php /var/www/html/nextcloud/occ twofactorauth:disable isilaycicek totp
Invalid UID
root@cloudserver:/home/bayuserftp# sudo -u www-data php /var/www/html/nextcloud/occ twofactorauth:disable totp
bash: isilaycicek: No such file or directory

On what OS / distribution are you running Nextcloud, and how did you install it?

Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-86-generic x86_64)

System information as of Wed Oct 25 13:47:03 +03 2023

System load: 0.1162109375 Processes: 340
Usage of /: 10.0% of 195.80GB Users logged in: 0
Memory usage: 4%
Swap usage: 0%

  • Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
    just raised the bar for easy, resilient and secure K8s cluster deployment.

    Secure Kubernetes at the Edge | Ubuntu

Expanded Security Maintenance for Applications is not enabled.

13 updates can be applied immediately.
3 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See Ubuntu Expanded Security Maintenance | Security | Ubuntu or run: sudo pro status

And how did you install Nextcloud? Manually, Snap package, Docker, other container format…?

Ultimately, you need to find a way to run the occ script which is located in the Nextcloud installation directory. The exact command depends on the installation method and where the Nextcloud directory is located.

I don’t know how it was installed, my friend installed it, but I show the nextcloud directory below.

root@cloudserver:/var/www/html# ls -l
total 16
-rw-r–r-- 1 root root 10918 Oct 27 2021 index.html
drwxr-xr-x 15 www-data www-data 4096 Oct 20 11:47 nextcloud

We installed it manually.

Not sure why the occ command isn’t working then. As I said, the occ script should be in the Nextcloud installation folder. Did you check if the path you sed in your command correct and the occ file is actually there?