TOTP "The provider does not support this operation."

I want to reenable TOTP for a user “userx”, but I seem unable.
Current situation:

  ~ ❯ sudo -i -u nextcloud php /var/www/nextcloud/occ twofactorauth:state userx                                                                                              
Two-factor authentication is not enabled for user userx

Disabled providers:
- backup_codes
- totp
- twofactor_nextcloud_notification
  ~ ❯ sudo -i -u nextcloud php /var/www/nextcloud/occ twofactorauth:enable userx totp  
The provider does not support this operation.


TOTP cannot simply be enabled for a user via occ command, as it requires user interaction in the WebUI to set it up (adding the secret to a TOTP app by scanning the QR code or manually copying the secret), i.e. users have to do it themselves.

Also, as far as I know, if you disabled TOTP for a user, you can’t just re-enable it and re-use the same secret, so the user has to set it up again via the WebUI.

2 Likes

It would be nice, if TOTP could be enabled on this way for an user and you give the secret as an option.
So TOTP could be handled over occ completly.

There is already an Issue:

I am working on a solution.


Much and good luck,
ernolf

I don’t quite understand why you would need this feature. I mean, how are you supposed to distribute the secret securely? By email or Whatsapp? Or should everyone use the same secret and you put the QR code on the coffee machine so that everyone can easily scan it? :wink:

Either way, in my opinion, passing along the secret in insecure ways weakens overall security, and letting multiple users use the same secret even partially defeats the purpose of 2FA.

If you want to make it easier for users while making the login process even more secure, I’d suggest getting FIDO2 hardware keys and using them as a second factor.

I see it the same way. With 2FA, a value is generated once and displayed via QR code so that it is transferred “offline” from the end user to the respective 2FA device of the same end user.

Even if it doesn’t fit the topic: There is the Nextcloud App Secrets, where you can exchange E2E-encrypted data via the browser. But you should only use this app if you understand it. If you trust the application and it works correctly, you can safely use it to transfer a secret such as the start data for 2FA. But this also contradicts the requirements of 2FA as two people know the start code. It is far safer to scan the QR code offline.

1 Like

An far easier as well, at least than typing in a secret that you received by an end-to-end encrypted app. :wink:

That’s right. Unfortunately, many users understand neither the necessity nor the procedure. It then seems acceptable if the administrator also knows the secret or if it is transmitted via insecure channels.

Since it is only about 2FA and not E2E, it would still be acceptable if the administrator also knows the initial data of 2FA and can theoretically generate TOTP tokens. However, this is not necessary and should be prevented. As an administrator, I would not allow myself to be accused of having access.

Either that or they need to tick a compliance checkbox, but don’t actually want to do what’s necessary to be in compliance, because they think it’s too much effort. :wink:

we have here an Server with some other applications than nextcloud running and they all support TOTP. The users should become only 1 TOPT secret for all applications, so i have to set
this secret in every application. As i set it on script-level on the server, is see no security issue here.
The users itself got’s an PDF instruction for the configuration of TOTP within the secret.

We could also solve that with keycloak and activate TOTP there,
but not all used applications integrate OpenID.

I was more thinking about forcing the user to use totp: present him with the TOTP setup wizard before he can access his files again.
Security is too often seen as just a burden by many.

This is already implemeted, I have just tested it…

The following happens when a user logs in who has not yet set up TOTP and you enforce 2FA:

2 Likes