TOTP after occ disable and finally enable not working

oled · April 4, 2018, 6:45am

Dear Nextcloud Community,

actually i am facing up with strange TOTP Problem in my Nextcloud instance.
A few months ago i had to reset my phone and i forgot where i backuped my backup codes. So i was unable to login in my administration account and i decided to disable totp for my admin user temporarely over the occ command. I tried to reenable totp for my user but i didn’t work. Now, months later, after upgrading to NC 13 it does not work after all.

I tried to disable, remove, reinstall and reenable the app but it did not work.
Steps:
Apps/TOTP disable
Apps/TOTP remove
Apps/TOTP enable
occ twofactorauth:disable administrator
occ twofactorauth:enable Administrator

What could be the Problem? Are there other steps for repairing?
Thanks in advance for any help.

Best regards
Oliver Edtmair

Schmu · April 4, 2018, 9:39am

Hi,

The problem will be, that TOTP settings are stored in the database. The tables are:

| oc_twofactor_backupcodes        |
| oc_twofactor_totp_secrets       |

I’m not sure however if clearing these tables will solve the problem or cause even more issues. It’s even possible that there is another table that I’m not aware of. With a good backup including a DB backup you could probably run some tests there.

budy · April 4, 2018, 5:22pm

I do think, that clearing those tables will effectively wipe the 2fa from your account. There is only one more possible table named oc_twofactor_u2f_registrations, but this is only present, if you installed the U2F app.

Also, be careful, if your admin account isn’t the only one who’s listed in the table, of course…
I’d also stop my NC instace prior to making such changes in the database.

oled · April 5, 2018, 9:19am

HI,

thanks for your answeres. I will backup my database again, and try out your solutions.

oled · April 5, 2018, 9:35am

Unfortunately, clearing or dropping these tables has no effect. I still be able to Login without two factor.

I dropped the two mentioned tables but it is still possible to login without the second factor.

Did i oversee something?

budy · April 5, 2018, 9:37am

Well, you shouldn’t drop the tables, but rather empty them… Then you’d have to re-setup two_factor in your account settings.

oled · April 5, 2018, 9:43am

I acted this way. My steps were:
Uninstalling TOTP
Removing TOTP
Dropping these two databases
Installing TOTP
Enabling and setting up in my admin account

budy · April 5, 2018, 9:56am

Yeah, that looks of course reasonable. Maybe you need to enable the account again via occ. Other than that, I am running out of ideas…

oled · April 5, 2018, 11:36am

I will try i out soon. I hope it will work that way. Otherwise i have to reinstall my whole nextcloud instance.

oled · April 9, 2018, 6:34am

HI,

finally reenabling now, seems to work. But i get an error, because of dropping the tables oc_twofactor_backupcodes and oc_twofactor_totp_secrets. The table with the backupcodes was not set up after reinstalling totp provider. So it seems to work but i can’t login.

I will now import my database backup of the backupcodes table and i hope it will work again. Thanks for your help guys.

oled · April 9, 2018, 8:06am

HI again,

it is working now.

For anybody else facing with the same Problem, the steps are:

Disable the TOTP app over the occ command or admin account
Remove the TOTP app completely from your nextcloud instance (A F5 refresh might be useful)
Clearing not removing(!) the tables oc_twofactor_backupcodes and oc_twofactor_totp_secrets
Reinstall TOTP app
occ twofactorauth:enable username

And finally it should work again.

Thanks for your help guys.

Best regards
Oliver

Mecallie · April 14, 2019, 9:54am

Thank you for your last post. I used the same steps to recover from a backup. I think step 5 does not always work: some plugins requre the user to enable the 2fa. It says it is not supported for totp anyway.

What happened to me:
Ubuntu killed my php config. After doing a dist-upgrade it deleted php and apache all together (weird, but should not have used dist-upgrade).

Luckily I had a backup of the entire VM of a couple of months old. After restoring that I had a running Nextcloud again. However: I had reset my totp tokens in that time so my token did not work, nor did the new backup tokens. Since 2fa is now mandatory I could not seem to disable it in any way. So I could only login with the admin account (which had 2fa disabled at the time of backup: yaj! ). Running the occ command to disable 2fa for a user did not work.

So your guide can also be used if you just recovered from a backup and are not able to DISABLE 2fa. The truncate tables did the trick. THANK YOU!