Two-factor authentication TOTP

I have my nextcloud V. 15 on my raspberry pi.
I tested the Two-factor authentication TOTP. I noticed that DAVdroid has issues and cant sync anymore. I dont know how to solve this problem and decided to remove the Two-factor authentication TOTP.
However, now when I login, I have an error that TOTP cannot be used and have to use the access codes. Luckily I had them.
How can I restore the situation?
I wan to have the Password login as before and no Two-factor authentication.
(unless I find a suitable solution for DAVdroid)
Thank you for your help

Hi, the solution are app passwords as far as I know.
Under your user settings and the sub menu “Security” you have the area “Devices and Sessions”.
There you can setup app passwords. Just enter “DAVdroid” as app name and click “Create new app password”.
Copy that password and save it for now.
In DAVdroid go to your login settings, enter your normal user name (which you used for the web gui as well) and as password enter the just created app password.
That should actually do the trick.

The advantage of these app passwords is as well, that you can always see, which client actually logged in. And if your mobile phone got stolen, it is enough to disable/ delete the app password. No need to change your web GUI password necessarily.

I hope that helps.

Oh and enable the TOTP-App again then.

1 Like

Thanks Schumer. Yes, last night I kept reading and found the same. Shane in me I did not read well. I can’t tell if sync is actually happening yet. When I check last night after adding the device password, I still saw the 3h earlier contact sync. Not the new one. But I will check later again.

However, what I still don’t know is how (if I want to) can remove the 2 factor authentication. When I tried, did not work.

Any indication on it?


When you write you removed the 2F authentication TOTP, do you mean, you disabled and removed the app or did you disable the 2F authentication in the user’s security settings?

I would expect that just disabling 2F per user basis should work and allow username-password login normally again:

Yes. But that does not seem to work. I not only desabled it but also removed the app. And I could not login with normal password. Had to use recovery codes.
There is something more about 2fa that does not allow returning in normal mode.

I just tested it and I can disable TOTP in the user settings just fine. After logging out and back in again, I can successfully login with user name and password only.

You should not disable the app itself. Only disable the TOTP for the user.

1 Like

Will test it. That might be the thing. I had first disabled the app itself, and than removed it and did not work.
Did not try to uncheck the option.

Ps does it means that once I stalled, it can never be uninstalled? (Or removed?)

Anyway, if I see all work well with device password, I am very happy with it.

It can be uninstalled and removed, but first after it has been disabled for all users.
In case you cannot login for all users and manually disable it via web gui, you can still do it via occ command.

Here are code lines, which should help you automate that (modify the path to match your environment if needed):

First, run the following command and check if these are the correct user names (just because I don’t know all possible syntax for user names and right now I assume there are no spaces in usernames, but better check that first!):

for USER in `sudo -u www-data php /var/www/nextcloud/occ user:list | awk '{print $2}' | tr -d ':'`; do echo "detected username: $USER"; done

If there are no shortcutted user names like “Mr.” while the actual username is “Mr. Roboto” for example, you can run:

for USER in `sudo -u www-data php /var/www/nextcloud/occ user:list | awk '{print $2}' | tr -d ':'`; do  sudo -u www-data php /var/www/nextcloud/occ twofactorauth:disable "$USER"; done

This will loop through all users and disable TOTP for them. Afterwards disabling the app is safe.

1 Like