Automaticaly enable for newly created users (if they have an email address)

[waylon2002my]

Hi Guys, I would like to ask is that possible for new user to enable automatic email authentication once the administrator created the account?

thanks.

[waylon2002my]

may i know this feature will be approve by design team?

[towerplease]

Hey there,
as @waylon2002my already requested, it would be supernice if the e-mail authentication would be pre-enabled when i create a user. We starting to implement Nextcloud here and we need to sit by every user and enable it manually.

Would be nice!

Thank you!

[AndyXheli]

Hello, are we still waiting for this to be implemented?

[AndyXheli]

@rullzer i just enabled this feature and under administration > Security > 2FA is checked like below image but once the user tries to login they get below image.

The way i got around it was that i downloaded Two-Factor Admin support app generated a key logged in as the user then i went under Settings > Personal > Security > and i had to manual enable the Email verification then i got a token via email added the token then i was able to login as the user and 2FA via email works.

My question is once the admin enables the 2fa is there a way to have it as once the user logins in for the first time they can setup and verify in the below location.

[rullzer]

Yes we now have a mechanism to allow setting up 2FA on login (if it is enforced).
However, I ahve not have much time to spend on this app.
BUt if somebody provides a PR i'd be happy to have a look.

[AndyXheli]

@Simounet Im not sure how familiar you're with 2fa but wanted to see if you'd be interested to help with this ☺️

[Simounet]

@AndyXheli yes I am but not with email. I'm sorry but I have a few other fixes to do to NC before spending time on this one.

[AndyXheli]

@Simounet no problem at all thank you so much for taking your time to reply.

[AndyXheli]

@nursoda What do you think about this and would it be complicated to implement

[nursoda]

Can't tell yet. I'll review all bugs. But nor now I have other priorities, like fixing new dev dependency / security issues, pimping the app's appearance in the app store, etc.

[nursoda]

I simply don't know (yet) how to trigger code from this app from the process of "setting up a new user". I have too little knowledge of the whole NC architecture (yet), so any input on this (routing? another app implementing a similar trigger) would be helpful. Or does it need to be implemented in 'server'? I'd think so! IF that were the case, this bug would need to be reported there.

[AndyXheli]

The TOTP app currently dose it if a user doesn't have 2FA enabled but it's required by server admin it will ask you to setup it up upon login. If you make 2FA required and only have 2FA via email it will not ask you to set it up for upon login. Dose that make sense.

[nursoda]

Well, to be honest, I consider twofactor_email much less secure than TOTP or U2F. That said, it's the thing that an admin really CAN enforce (if he/she is able to set an email address, which I consider to be the case in many scenarios). So, as admin, I'd not ONLY offer twofactor_email, but I'd offer it as last resort – and maybe I'd even enable it as default to be able to enforce 2FA. But that would require a method to enable it for EXISTING users also (which is not scope of THIS issue).

Your point was that one might enable it if ONLY twofactor_email is present. I sincerely hope that this is a rare case that I don't want to foster. (@folks, please use proper 2FA :) )

Nevertheless, independent of whether there's only twofactor_email or other twofactor_* apps present, one could want to AT LEAST use twofactor_email if no other means is enabled yet (and an email address is set).

Depending on whether we use the primary(→¹) (or a secondary?) notification address (set in /settings/user) or use an separate(→²) address that has to be set up in /settings/user/security/twofactor_email (MAY it be the same as the primary address?), we ¹could or ²could not set up twofactor_email for new/existing users WITHOUT interaction upon an admin's request.

So, to sum up the dilemma:

• It's a good thing to verify an address used for Two-Factor Email by sending a verification code upon setup – it ensures a user cannot lock himself/herself out. But we cannot do that upon an admin creating a new user account, can we? (To be even more secure, one would need to set up different addresses for password reset and Two-Factor Email. That would further complicate account setup.)
• It's a good thing to enhance security by enabling 2FA by default. But that would mean that the server code should not accept new user accounts if they do not contain an email address.

@waylon2002my, @towerplease: I am sorry but I think that your request to automatically enable twofactor_email for newly created users creates too many other side effects. Plus, an admin can use OCC to bulk-enable 2FA for a group of users.

Since the requested feature is triggered by server code, the server team would have to implement that (and a setting that it shall be activated for all/new users if the app and an email address is present. So, you could open an issue in server. If the server team then needs some help/API from Two-Factor Email, they should either send a PR or specify what is to be implemented. In both cases, I'm going to do my best.

Until then, I reject this proposal. I hope you can follow my reasoning.

To be clear: THIS (now closed) issues is NOT about the ability of Two-Factor Email to be set up for new users within their first login.

[thomas-mc-work]

Plus, an admin can use OCC to bulk-enable 2FA for a group of users.

@nursoda Could you please tell me how this can be done?

[nursoda]

I wrote this soon after I started to maintain the app. I don't know what I had in mind. Probably, that one can enable/disable 2FA altogether for a user.

Reviewing my post and trying to do what I suggested is possible, I was not able to do it myself. So my post is wrong in that respect. I think that I need to create an enhancement issue that allows an admin to enable twofactor_email for existing users. At least via OCC (in the twofactorauth and/or twofactor_email namespace, ideally also via web interface.

Currently, there's only this occ command:

$ occ twofactorauth:disable USER email
The provider does not support this operation.
$ occ twofactorauth:enable USER email
The provider does not support this operation.