Two factor authen turned off by user, then turn on by admin, user can still login without OTPP

irvinyip · April 7, 2017, 12:30am

Hi All,

As I can’t find a way to for user to use 2 factor, I then simulate if user turn off 2 factor but admin turn it back on. Here’re the steps I did:

User enabled 2 factor with FreeOTP at Personal page
Mobile FreeOTP capture the 2D barcode
User Log off and log in with 2 factor to test
User turn off 2 factor at Personal page
Admin access server SSH as root then execute the following command:
sudo -u www-data php occ twofactorauth:enable
Console shows Two-factor authentication enabled for user
User login on web again ----> without OTPP prompt and can login with user name and password only!!

I repeat login several times after 10 min, still can login without OTPP…

Please correct me if my concept is wrong.

Also, is there any way to force enable or disable user to turn off 2 factor?

Thanks a lot.

Irvin

riegerCLOUD · April 7, 2017, 4:13am

hi irvin,
this is as designed and the correct behaviour. you have to execute the following command to enable totp per user

sudo -u www-data php occ twofactorauth:enable username

or

sudo -u www-data php occ twofactorauth:disable username

to disable totp per user.
please also have a look here: tips: command line

cheers, carsten