-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mail 2FA for first login (enforced 2FA) #17584
Comments
I agree with the suggestion above, mail as an enforced second factor would be great. It is not always possible to require the client to have a physical device or an application installed on their phones, due to company restricitons/policys and because of working remotely. |
That's exactly the problem that we have in our business. We work with individuals around the world and can not ask an employee we're temporarily working on in a project to install an app or buy an U2F device. Especially if Nextcloud seriously wants to be interesting for companies (Virtual Datarooms), this is a feature that is still missing. |
Afaik, usually only the 2FA services are displayed which have been enabled and configured by the Nextcloud administrator. Beside the mentioned 2FA services you will find additional 2FA services, like the Two Factor e-mail provider or the Two-Factor TOTP Provider app in the app store. Beside that I wouldn't personally recommend to use email as a 2FA service because it is routed over the insecure Internet. Better is to use e.g the Two-Factor TOTP Provider app which allows to use Google Authenticator or andOTP. Both could easily been installed and used. Security is not a choice of convenience but am essential requirement 😉 |
Please read the section "Expected behavior" in my post. I realize that the apps have to be activated and configured.
That is also my idea, but in the projects it often fails because of such requirements. |
It is not there because it isn't implemented in the apps. There is nothing in nextcloud itself blocking it. It just has to be done. Pull requests to fix this are welcome. Note that neither 2fa via mail or SMS are officially supported by Nextcloud GmbH but you can always reach out to your accountmanager if you are a customer to see what is possible. |
@rullzer |
@thomasjanzenddp no 😉 a pull request is a patch with the code to fix the issue. |
Is this still valid? If not, please close this issue. Thanks! :) |
In Nextcloud Hub II (23.0.2) this is still a major missing feature. In 02.2022. |
I've created a workaround to this issue #34938 It currently uses a php script I call from cron to patch accounts and provide them with the necessary table values to force 2FA-email on all accounts. |
@jfieser Thank you, really appreciated. @Charles-Bourne @szaimen @rullzer @joshtrichards May I suggest an optimization that can be executed for example in a system cron? or maybe as part of NextCloud cron:
UPDATE oc_twofactor_totp_secrets TOTP, oc_twofactor_providers PROVIDERS This way you ONLY activate the email 2FA for users who successfully configured the TOTP. P.S: I assume that the TOTP and email 2FA apps are installed and enabled in your NextCloud instance :) |
Thank you @jfieser and @rdlab-upc. @rdlab-upc in your solution, everyone who has configured 2FA and everyone who will never configure 2FA is allowed to log in. And if I make 2FA optional, then the user has already logged in for the first time, otherwise he wouldn't be able to set up 2FA himself. In this case I wouldn't have that problem at all. Best regards |
@Charles-Bourne Maybe I am wrong, but with this WHERE statement, you only enable users who successfully activate the TOTP authentication. If the user has no previous TOTP authentication, it won't activate their email 2FA. WHERE TOTP.state = 2 and TOTP.user_id = PROVIDERS.uid and PROVIDERS.provider_id = 'email'; |
This feature request needs to go to https://github.com/nursoda/twofactor_email or whatever provider you're trying to use. There's nothing for us to do here in |
Steps to reproduce
Expected behaviour
The user is asked to set up a 2FA. All types of 2FA enabled via app will be displayed.
Actual behaviour
Only two 2FA options are displayed. U2F and OTP. Mail, SMS etc. are missing.
Server configuration
Nextcloud 17.0
Managed Server on ocloud.de
I think it’s great that Nextcloud - version 17 - gives a user with enforced 2FA the opportunity to set up a second factor when they log in for the first time.
Unfortunately, only “U2F” and “OTP” are offered.
It would be very helpful, if also the option “Mail” would be offered here. Would that be possible to implement?
More Information: https://help.nextcloud.com/t/mail-2fa-for-initial-login/62193
best regards
Thomas
The text was updated successfully, but these errors were encountered: