Server: Interface to configure 2FA for users/groups (aka forcing/require 2FA)
DISCUSSION
There are some discussions (see references) on "forced 2FA" inside the TOTP-2FA-Repo that should be continued here in "core".
What's it about?
There should be a GUI (with some backend logic) to...
- Force a user/group to do 2FA
- Reset a forced-2FA (~= occ twofactor:disable user)
- Get your 2FA code(s) at first login (just like the first-run-wizard, but not to be canceled)
- Problem: You sould not really been logged in. You should stay in a state where you cannnot access files (nor admin) before having at least one 2FA being set up.
- In my PR (regarding TOTP) I just echoed the QR to get scanned by the user.
- There might be a better place since that might not be suitable (nor possible) for other 2FA.
Ideas and discussions
My initial idea on that is to provide a table (just like user admin) with a list of all configured 2FA endpoints like so:
I made a gist with the (very-early-super-basic) idea of the GUI.
@GitHubUser4234 (correctly) objected that the force-state I was thinking about can be skipped if there is a checkbox like "force" for an entity.
More Ideas
@ChristophWurst wrote
to me, the grid view looks complex and overwhelming. Also I'm worried about real-world setups where you have thousands of users and numerous groups. The grid would be really long then.
No, it should not. The list will only contain entities that differ from the default state.
- The GUI might be an exact copy of the user admin GUI - only with title's rotated by 90° to keep a nice look for multiple 2FAs. And the left panel showing "All", "Users", and "Groups".
- Might be a good idea to provide an input for a username in admin to get the real config for a user (since there is a defaul conf, 0-n group confs and the user config itself; see below).
- Perhaps there should also be an admin interface to see the enabled 2FA for a user.
- About inheritance: It should be discussed how that should work (can a factor once beeing denied been reactivated? How about more than one group?). I would prefer a simple top-down inheritance but since we can have multiple groups for one user a simple "user overrides group overrides default" will not work. Might be suitable to get the strictest rule (that might contain configs from multiple groups).
References
- Issue my PR is based on
- My PR with implementation of basic forced-2fa
- Another discussion (in core) about enhancing 2fa
- My gist with interface and an idea on the data-exchange structure (close-to-be-JSON)
What do you think? ;)
boppy
All 29 comments
cc @nextcloud/designers
ChristophWurst
on 26 Nov 2016
@ChristophWurst Would be great if you could somehow find the related guys to remind them to have a look at it, this PR is awesome!
GitHubUser4234
on 14 Dec 2016
(from my comment in #41)
What I would like to see is a way to see which users in the system have enabled 2FA..
Overall IMHO an implementation of "Required 2FA" would be
- that I can easily see which users have 2FA enabled
- this allows a manager to check who does not have it enabled and pester them until they do.
- make it so that once they enable 2FA they can not disable it.
- either globally or by group. That is a group can be set to "allow 2fa" or "require 2fa". If a user belongs to any group that "require 2fa" then they can not unset 2fa once enabled.
urkle
on 11 Jan 2017
The ideas above are just the perfect recipe for what am looking for;
But it looks like it may take a while to accomplish it all, the more immediate need is the ability to be able to force 2FA and be able to check which users have it enable/disable. In the initial enable process a Temp one time password key could be generated for the user with option to automatically redirect them to their "personal page" from where they can complete the 2FA setup.
SPeedYdr
on 26 Jan 2017
This is a blocker issue for adoption at my company. If I can't require 2FA for all users, then we cannot use the product. I've tried to use sudo -u apache ./occ twofactor:enable as a workaround, but even that doesn't seem to work.
Any ETA on when this might be implemented?
stobias123
on 31 Mar 2017
Agree with @stobias123 This would make Nextcloud soo much better for enterprise users.
Design wise;
- User logs in with the generated/given password.
- The user gets prompted to download Google Authenticator, Authy or similar and is also given a QR Code to scan
- User scans the code
- Stuff are saved in DB and verified
- User gets logged in and are presented with the First Run Wizard as normal.
enoch85
on 8 Apr 2017
Glad y'all are working on this! It's great to have 2FA as an option, but as an admin, the ability to _force_ 2FA is a requirement—otherwise I spend too much time chasing down users and telling them to opt-in. If folks can cheat, they'll cheat.
A simple "force" checkbox on the the plugin config page would satisfy my needs—I don't plan to allow users to opt-out of 2FA once it's enabled instance-wide.
conorsch
on 10 Apr 2017
Agree with @stobias123 This would make Nextcloud soo much better for enterprise users.
Who also have the option to go to https://nextcloud.com/enterprise/ to see the development actually speed up here 😉
LukasReschke
on 10 Apr 2017
@LukasReschke - It's a bit hard to sell management on the pitch that "if we buy it, maybe they'll prioritize real enterprise features."
That said.. We do have a quote from the nextcloud team and will be purchasing support.
stobias123
on 11 Apr 2017
Nextcloud devs, We have several customers who are wanting this feature in place. Is there some kind of bounty that could be setup, such that if we raise X amount of $ you'll get this done in a certain time-frame?
urkle
on 11 Apr 2017
Is there some kind of bounty that could be setup, such that if we raise X amount of $ you'll get this done in a certain time-frame?
MariusBluem
on 11 Apr 2017
@urkle while there is bountysource indeed (as pointed out by @MariusBluem ) this is more suitable for our sales team I think, please contact them ( sales AT nextcloud.com )
rullzer
on 13 Apr 2017
I can help in the design stuff if needed.
Espina2
on 13 Apr 2017
@Espina2 @nextcloud/designers That would be appreciated. Design proposals are always welcome :-)
LukasReschke
on 17 Apr 2017
Also note that not all actions may be available, so for some factors self-enrolling may not be available or resetting the token may not be available. This also needs to be kinda reflected in the UI.
LukasReschke
on 17 Apr 2017
Also you may have hundreds of thousands of users so a search and paging should work etc… :-/
LukasReschke
on 17 Apr 2017
@LukasReschke I will try come with something tomorrow. I will post and after that he can tune that kind of details. :)
Espina2
on 17 Apr 2017
It seems that it would best be integrated in the Users management directly, right? There you directly have the groups and users, can manage defaults and exceptions. cc @LukasReschke
jancborchardt
on 10 Jun 2017
What I would propose for the UI is to keep it much simpler. Right now, each of the 2FA techs is a separate app, right? TOTP and U2F at least. So you don't have to decide WHAT 2FA is enforced or allowed: the ones that are are installed, simple. For that 1 in a million use case where you want a different 2FA support for one group than for another (why on earth?) - built a custom app please 🌷
So then the admin UI is simply "enforce 2FA" and then the user can use any of the 2FA solutions that are installed.
The UI for enabling 2FA doesn't have to be done at the login screen, that creates the problem of having to maintain two interfaces. Better redirect the user to the login screen with the 2FA authentication whenever he/she logs in and bother him/her hard enough to enable it. Think about hiding the app bar with CSS, perhaps disabling file syncing if that's relatively easy.
Sure, the user can work around it but if they HATE their IT department that much that they want to avoid enabling 2FA at all cost (including having to edit CSS and live with no file access) well - I'd say they deserve and can have it 💛
This is less work, less maintenance AND much simpler. Am I right, @boppy ?
jospoortvliet
on 26 Sep 2017
Suggestion.
While these subsystems are getting reshuffled, make it intentionally _multifactor_ auth, with an enable/disable option per-each, and a counter-with-max of 2-or-sum-of-enabled for "how many minimum required".
jakimfett
on 29 Mar 2018
What I would propose for the UI is to keep it much simpler.
I second that.
From the user point of view, the default should be as simple as Activate 2FA, yes/no and they it displays a TOTP qrcode that can be scanned from FreeOTP or Google Authenticator. That will work for everyone.
If other 2FA need to be implemented, they can be at a later time.
ghost
on 30 Mar 2018
Hey guys,
Is there anything new regarding the two factor authentication? I am really looking forward to a even better solution within Nextcloud. Thanks to the Nextcloud team and its community for their contribution so far.
Yours
GoetheG
on 17 May 2018
I've started planning this feature. Please see the overview board at https://github.com/orgs/nextcloud/projects/17 and the linked tickets targeting specific aspects of enforced 2FA. People who have helpful insights on these topics, please feel free to add your comments and provide feedback to the specs outlined in individual tickets.
ChristophWurst
on 3 Sep 2018
Hello,
I ended up upgrading (fresh install) to v14.x this weekend and ran across the "Official" 2FA app/module and got excited! I see this has been in the works for a while and just wanted to get a feel as to when it might be ready and working?
I created a test user that is not currently in a group (have the 2FA with default "no group unchecked")
Logging into a web browser (firefox), 2FA box is not checked... so I would assume "Disabled".
Running the cmds below I attempted to enable it. When I logged back in to the browser session it was still unchecked (disabled). I even restarted services.
[root@nextcloud nextcloud 271]# su -m www -c 'php /usr/local/www/nextcloud/occ twofactorauth:disable testuser'
Two-factor authentication disabled for user testuser
[root@nextcloud nextcloud 272]# su -m www -c 'php /usr/local/www/nextcloud/occ twofactorauth:enable testuser'
Two-factor authentication enabled for user testuser
[root@nextcloud nextcloud 273]# su -m www -c 'php /usr/local/www/nextcloud/occ twofactorauth:state testuser'
Two-factor authentication is not enabled for user testuser
Disabled providers:
- backup_codes
- totp
From the output, the "enable" cmd looks like it does the job, but the "state" cmd output says otherwise.
Hoping to force enable all users via CLI.
fireheadman
on 25 Oct 2018
@fireheadman you'll need to wait till version 15. There you can enforce 2FA for all users / groups.
rullzer
on 25 Oct 2018
Also lets close this ticket as it is done in 15
rullzer
on 25 Oct 2018
in nextcloud 15 from snap, to make this app work , you would want (or should I say must) to execute this with nextcloud.mysq-client:
ALTER TABLE oc_twofactor_admin_codes MODIFY COLUMN id bigint AUTO_INCREMENT;
Otherwise it will error out with SQLSTATE[HY000]: General error: 1364 Field 'id' doesn't have a default value.
As it uses sql statement without altering record id...
zzx999
on 8 Feb 2019
kesselb
on 8 Feb 2019
Please file new tickets for bugs.
I'm locking this issue as resolved.
ChristophWurst
on 11 Feb 2019
Related issues
Django-BOfH
·
3Comments
georgehrke
·
3Comments
mfechner
·
3Comments
blackcrack
·
3Comments
MariusBluem
·
3Comments
Most helpful comment
I can help in the design stuff if needed.