Hi
Would it be possible for Nextcloud developers to take over this Two-Factor Email project to update it or integrate it into Nextcloud? It’s a feature that I think is very appreciated, but the project developer no longer maintains it as of NC 28.
It would be cool if you could do that.
Thanks.
Github Link: twofactor_email do not work with Nextcloud 31. Nextcloud do not start if it is enabled · Issue #3 · datenschutz-individuell/twofactor_email · GitHub
Well, I’m not so sure it’s a good idea to offer it as an official app, and don’t get me wrong, Email 2FA is still better than no 2FA, but it’s also a lot less secure than something like TOTP or Webauthn, which are already shipped or featured apps.
And before you say, but TOTP or Webauthn is too complicated for normal users or something like that, I say, especially those users should not use Email 2FA, because those users are the ones most likely to use the same insecure password they use for Nextcloud, or a slightly different variant of it, also for their email account 
2 Likes
I agree with you overall, but hey Apple uses it, Google uses it… it remains the main means of account recovery these days for ordinary people.
Yes, because it’s better than nothing, and many users don’t do anything unless they’re forced to. Also, account recovery is not exactly the same as 2FA, and it should definitely not be possible to bypass 2FA with a simple email recovery process using the same email address that is used for the affected account, without further identity verification.
Either way, unless you run a Nextcloud for hundreds of people, I think you should convince your users to use TOTP, and unlike with Google or Apple, they won’t be locked out for long if they lose their second factor, because they have you, their friendly Nextcloud admin, who is happy to help them regain access to their account. 
But yeah sure, I guess more options are generally a good thing, I’m just not sure if Nextcloud should actively endorse people to use this particular option
@bb77 Thank you for your feedback,
And yes, in my case, some users don’t know anything about TOPT or recovery codes… but I still think that in today’s world, even 2FA by email should be available, even if it means leaving the choice to the administrator of the Nextcloud server to activate it or not…
But perhaps even worse is that with a compromised client (especially Windows), even when using different complex passwords for Nextcloud and the email-account in conjunction with the app Two-Factor Email, there is no protection. The attacker receives both. This is far different with TOTP, as TOTP is used on a second device such as a smartphone. And no. The Google Authenticator is not a risk because it comes from Google.
That’s why I don’t think much of Two-Factor Email. It suggests a level of security that does not exist in at least some attack scenarios.
Conversely, I wonder how else attackers get the password of a Nextcloud user? By trying it out via the web interface? Even if the password is not very complex, it is unlikely. Via the server itself? And the connection is also encrypted. In my opinion, the biggest risk is the client. And it is precisely this risk that is not covered by Two-Factor Email.
1 Like
That is your assumption. I doubt this.
Quote from GitHub:
I really hope that this app will be updated because I find it very useful, it’s also strange that “Nextcloud GMBH” does not integrate it directly into Nextcloud server
It’s always the same:
Every app needs support. If Nextcloud includes every app in the server bundle, then the company has to look after and maintain everything.
Then some people scream that the server has too many functions (see discussion Nextcloud Lite) and others want to pay nothing and have everything for free. But the developers also have a life with needs.
It doesn’t work that way.
1 Like
There was a commit for a first development version including support of newer versions:
but this repo is linked from the app store:
1 Like
Hi,
The “twofactor_email” application works again on NC31. You only need to modify two files in the twofactor_email app folder to make it compatible. See the Github link at the bottom of the post:
“appinfo/info.xml” and “lib/Service/Email.php”
Github link
Thanks to NielBuys for his work.
Update: The app has been updated on the Nextcloud store