Mail 2FA for first login (enforced 2FA)

[thomasjanzenddp]

Steps to reproduce

1. Create a user
2. Enforce 2FA for that user
3. Login with this user

Expected behaviour

The user is asked to set up a 2FA. All types of 2FA enabled via app will be displayed.

Actual behaviour

Only two 2FA options are displayed. U2F and OTP. Mail, SMS etc. are missing.

Server configuration

Nextcloud 17.0
Managed Server on ocloud.de

I think it’s great that Nextcloud - version 17 - gives a user with enforced 2FA the opportunity to set up a second factor when they log in for the first time.
Unfortunately, only “U2F” and “OTP” are offered.
It would be very helpful, if also the option “Mail” would be offered here. Would that be possible to implement?
More Information: https://help.nextcloud.com/t/mail-2fa-for-initial-login/62193
best regards
Thomas

[dennorske]

I agree with the suggestion above, mail as an enforced second factor would be great. It is not always possible to require the client to have a physical device or an application installed on their phones, due to company restricitons/policys and because of working remotely.

[thomasjanzenddp]

That's exactly the problem that we have in our business. We work with individuals around the world and can not ask an employee we're temporarily working on in a project to install an app or buy an U2F device.

Especially if Nextcloud seriously wants to be interesting for companies (Virtual Datarooms), this is a feature that is still missing.

[j-ed]

Afaik, usually only the 2FA services are displayed which have been enabled and configured by the Nextcloud administrator. Beside the mentioned 2FA services you will find additional 2FA services, like the Two Factor e-mail provider or the Two-Factor TOTP Provider app in the app store.

Beside that I wouldn't personally recommend to use email as a 2FA service because it is routed over the insecure Internet. Better is to use e.g the Two-Factor TOTP Provider app which allows to use Google Authenticator or andOTP. Both could easily been installed and used. Security is not a choice of convenience but am essential requirement 😉

[thomasjanzenddp]

Afaik, usually only the 2FA services are displayed which have been enabled and configured by the Nextcloud administrator. Beside the mentioned 2FA services you will find additional 2FA services, like the Two Factor e-mail provider or the Two-Factor TOTP Provider app in the app store.

Please read the section "Expected behavior" in my post. I realize that the apps have to be activated and configured.

Beside that I wouldn't personally recommend to use email as a 2FA service because it is routed over the insecure Internet. Better is to use e.g the Two-Factor TOTP Provider app which allows to use Google Authenticator or andOTP. Both could easily been installed and used. Security is not a choice of convenience but am essential requirement 😉

That is also my idea, but in the projects it often fails because of such requirements.

[rullzer]

It is not there because it isn't implemented in the apps. There is nothing in nextcloud itself blocking it. It just has to be done.

Pull requests to fix this are welcome.

Note that neither 2fa via mail or SMS are officially supported by Nextcloud GmbH but you can always reach out to your accountmanager if you are a customer to see what is possible.

[thomasjanzenddp]

@rullzer
I've never worked with Github and I'm not a programmer, so I have no idea how to properly create a pull request. Is that ok?
nursoda/twofactor_email#32

[rullzer]

@thomasjanzenddp no 😉 a pull request is a patch with the code to fix the issue.
Somebody with the time and skill will have to contribute to make it happen.

[szaimen]

Is this still valid? If not, please close this issue. Thanks! :)

[ha-ja]

Is this still valid? If not, please close this issue. Thanks! :)

In Nextcloud Hub II (23.0.2) this is still a major missing feature. In 02.2022.

[jfieser]

Is this still valid? If not, please close this issue. Thanks! :)

In Nextcloud Hub II (23.0.2) this is still a major missing feature. In 02.2022.

I've created a workaround to this issue #34938 It currently uses a php script I call from cron to patch accounts and provide them with the necessary table values to force 2FA-email on all accounts.

[rdlab-upc]

@jfieser Thank you, really appreciated.

@Charles-Bourne @szaimen @rullzer @joshtrichards May I suggest an optimization that can be executed for example in a system cron? or maybe as part of NextCloud cron:

• SQL query:

UPDATE oc_twofactor_totp_secrets TOTP, oc_twofactor_providers PROVIDERS
SET PROVIDERS.enabled = 1
WHERE TOTP.state = 2 and TOTP.user_id = PROVIDERS.uid and PROVIDERS.provider_id = 'email';

This way you ONLY activate the email 2FA for users who successfully configured the TOTP.

P.S: I assume that the TOTP and email 2FA apps are installed and enabled in your NextCloud instance :)

[ha-ja]

@jfieser Thank you, really appreciated.

@Charles-Bourne @szaimen @rullzer @joshtrichards May I suggest an optimization that can be executed for example in a system cron? or maybe as part of NextCloud cron:

• SQL query:

UPDATE oc_twofactor_totp_secrets TOTP, oc_twofactor_providers PROVIDERS SET PROVIDERS.enabled = 1 WHERE TOTP.state = 2 and TOTP.user_id = PROVIDERS.uid and PROVIDERS.provider_id = 'email';

This way you ONLY activate the email 2FA for users who successfully configured the TOTP.

P.S: I assume that the TOTP and email 2FA apps are installed and enabled in your NextCloud instance :)

Thank you @jfieser and @rdlab-upc.

@rdlab-upc in your solution, everyone who has configured 2FA and everyone who will never configure 2FA is allowed to log in.
You wouldn't force it anymore.
I then have accounts that can log in without 2FA the first time and I have accounts that can always log in without 2FA because they will never configure 2FA.

And if I make 2FA optional, then the user has already logged in for the first time, otherwise he wouldn't be able to set up 2FA himself. In this case I wouldn't have that problem at all.

Best regards

[rdlab-upc]

@Charles-Bourne Maybe I am wrong, but with this WHERE statement, you only enable users who successfully activate the TOTP authentication. If the user has no previous TOTP authentication, it won't activate their email 2FA.

WHERE TOTP.state = 2 and TOTP.user_id = PROVIDERS.uid and PROVIDERS.provider_id = 'email';

[joshtrichards]

This feature request needs to go to https://github.com/nursoda/twofactor_email or whatever provider you're trying to use. There's nothing for us to do here in server. There are existing issues covering this for what I presume were the two you used as examples:

• Make it possible to set up a provider at login twofactor_gateway#289
• Should be selectable upon initial login when 2FA is enforced nursoda/twofactor_email#35
  • Automaticaly enable for newly created users (if they have an email address) nursoda/twofactor_email#83
  • https://github.com/nursoda/twofactor_email/wiki/Admin-manual