Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

different email address for 2FA #177

Open
JanH77 opened this issue May 21, 2021 · 8 comments
Open

different email address for 2FA #177

JanH77 opened this issue May 21, 2021 · 8 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@JanH77
Copy link

JanH77 commented May 21, 2021

Using the 2-factor email provider, I can see following security problem:
If the email account is compromised, an attacker would be able to request a password reset for the nextcloud account and with the same email address he can request the 2FA token. This would give the attacker easy access to the cloud system.

Can you add a feature that a different email address (than the standard address connected to the account), can be used for 2-factor email provider?
@informaticavera
Copy link

I agree @JanH77 . The personal email could be used to receive the token instead of the company email. I hope it is easy to implement and @rullzer it helps us.
Thanks in advance

@nursoda
Copy link
Owner

nursoda commented Sep 30, 2021
edited
Loading

The now integrated possibility to set multiple notification addresses is independent of this issue, right?

Since there now may be several notification email addresses, the question is what the best solution is. I see two options:

  1. Enhance the user setting so that not only a "primary email for password reset and notification" but also a "separate email as second factor (Two-Factor Email)" may be set in /settings/user. This would be more logical from a user perspective.
  2. Have a completely independent email address setting in /settings/user/security. This seems awkward since multiple addresses are kept in /settings/user already. But on the other hand it's very "close" to the 2FA settings and much easier to implement as it is fully implementable within twofactor_email.

Thoughts? @blizzz @juliushaertl

@AndyXheli
Copy link

I like both options. I think the first option much easier on the end users side since now we can add multiple emails under a user account. But the question i have is would that mean you'll get two emails at the same time? when logging in and requesting for a 2FA email verification; one would go to Primary email and one to secondary email?

Im trying to picture the process from step one too successfully logging in.

@JanH77
Copy link
Author

JanH77 commented Oct 1, 2021

I agree with @nursoda , from user perspective option one will be the better more logical choice.

However, I could think about following solution (if this is possible):

  • add additional email address setting to the user profile (/settings/user)
  • in Two-Factor Email setting (/settings/user/security), let the user select (e.g. by dropdown) which of the configured email addresses (in /settings/user ) should be used for Two-Factor Email

@nursoda
Copy link
Owner

nursoda commented Oct 1, 2021

Complexity arises from edge cases: What shall happen if the user sets everything as aforementioned and then e.g. deletes the previously (in twofactor_email) "selected" address?

@AndyXheli
Copy link

I only had one email under my account my work email and I also added my personal email as soon as I changed my primary email from work to personal the 2FA Email changed automatically. Now that I'm on my personal as primary, I deleted the personal but the email still remained under 2FA email but then as I made my work email again primary it changed under 2FA Email.

@nursoda
Copy link
Owner

nursoda commented Oct 3, 2021
edited
Loading

Highly integrated solution depends on server code (not being implemented)

let the user select by dropdown which of the email addresses configured in /settings/user to be used

Yes, I also like that and consider it a good solution in terms of UI and UX. But it would require to catch a lot of corner cases in code that I have no influence in (and at least now don't want to write PRs for). If we'd go for that, at some considerations would have to be made. That is why I tend not to implement that. Here are my thoughts:

If one would implement this, one would need to decide

  • which address to select as default:
    a) the primary address (which is also used for password reset)
    b) not the primary address (could be a better choice if compromised email account is an attack scenario)
  • How to deal with a "missing" (deleted/changed) address when
    • /settings/user/security is opened
    • Two-Factor Email is used for a challenge

And one would need to find out / know

  • how many (0…n) email address are usable
    • possibly flag them similar to the flag "primary", and display that flag in /settings/user
  • whether (and when) it is detectable if the user (or an admin) deleted the address in use for Two-Factor Email
    • and no other usable address is available (inform admin?)
    • and there is another address available (user expectation?)
  • what shall happen if the address is changed (is that detectable after all)? (Inform the user that the address used for Two-Factor Email has changed?)

Proposal: Implement within the app only (and separately store an email address)

Given all that, and until (UI/UX) veto from Nextcloud staff side, I tend to implement the much simpler way: Keep all config necessary within code and config/DB of the Two-Factor Email app. That way no modification by the server team is needed. My idea is to implement this (any help appreciated):

  • get the list of email addresses from /settings/user
  • in Two-Factor Email setup allow the user
    • to copy one of these addresses (if available)
    • to set an arbitrary address in the input field
  • save that address in the apps namespace in the NC database and use it until the user changes it
  • add some explanatory text that it may be safer not to use the primary address and decide on how much information shall be given to users about attack scenarios and where to put such information:
  • implement ability for OCC to allow admins/users to enable Two-Factor Email and set the address to be used

Common issues

In both cases we need to know / decide

@nursoda nursoda mentioned this issue Oct 3, 2021
Closed
@spotcatbug spotcatbug mentioned this issue Jan 7, 2022
Open
@nursoda nursoda added enhancement New feature or request help wanted Extra attention is needed labels Feb 26, 2022
@jfieser
Copy link

jfieser commented Jun 26, 2023

In my use case, we wanted to force users to keep the same original email address that they were assigned at account creation in case they were terminated from their employer and therefore had no need to access our data. I wrote a little php script that sets users email addresses back to the original if users try to change them. It does require that admins use the full email address as the username. My script also forces all users enabled with 2FA-email. nextcloud/server#34938

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jfieser @nursoda @informaticavera @AndyXheli @JanH77