Server: Option to trust PC for specified time period If 2FA is enabled

cc @ChristophWurst

I just want to give my +1 here :)

+1, although it would be nice to have the option to trust this device _indefinitely_.

Actually just submitted a similar request (to the wrong place tho). This is my suggestion:

Suggested behaviour
When logging in with 2FA it would be great to have a checkbox giving the option to "Trust this device". Subsequent logins from the same browser should allow the user to log in using only their password. Any logins not from a "trusted device" should still require a second authentication factor.

The user should also be able to revoke sessions from "trusted devices" (like any other logged in session). When this happens, the device should no longer be considered trusted and should require 2FA on the next login.

You should also be able to choose "Trust this device" when logging in using backup codes.

Rationale
I think this feature would make 2FA more user friendly, not requiring them to enter their 2FA codes every time they log in. But still making it much more difficult for attackers to break into an account.

Implementation details
I don't have a lot of web development experience. But I believe that a unique, randomly generated value stored in a "persistent" cookie would be the easiest way to implement such a feature. The cookie should be kept by the browser even after the user logs out. When logging back in, Nextcloud should recognize the cookie and only require the user to enter their password.

I totally have to agree to this.many services do this and others even go the even more extreme route of remembering the username (which isnt a problem on private computers) therefore only needing the PW.

Hej folks. Any news regarding this topic? Its now marked as stale, for security reasons this topic might be a majro step forward. Most of my users disabled the 2fa, because it is pretty anoying to enter the code every time using a browser to login. Its now 1,5 years since the initial request, until now there was no offical answer if this will be implemented. Would be great if someone could give a hint if it will be added and which version it is planned to be added.

IMO it's a valid feature request. If someone would like to see this implement, I usually suggest to either just implement it and open a pull requests (we're here to help, don't worry if you're not a Nextcloud expert) or fund the development (bounty or enterprise subscription, although the former doesn't give any guarantee that anyone will work on the feature).

Almost 2 years old. I guess we should find a company with an enterprise subscription and pitch them this idea.

While this can be seen as a valid request i think it is more of a huge seurity downgrade, if you don't want 2FA just don't use it but there is no secure way to "trust this device", well not even to know "this device"...

Yes a long-running cookie with some carefully crafted data could look like a solution, but how long until someone found a way to reverse-craft the cookie, or even stole it ?

@bplessis couldn't this maybe done by adding a signed token into a cookie or whatever?

the signature would make it so that one cant just create one out of thin air and with encryption, httponly, samesite and stuff stealing gets a lot harder, as you would need to get the user infected to steal the cookie.

It would be really great to have a "trusted devices" feature implemented in Nextcloud.

From users' perspective, they understand the importance of the 2FA but they find it counter-productive to enter a code every time they login using the same device.

Any updates about this feature request?

Thanks guys for the hard work!

Yea, I'd love that option as well. 2FA makes perfect sense, however it's pretty much an overkill on my personal, triple secured, MacBook.

I have to agree with @bplessis and @ChristophWurst.
I see that login page so rarely it is perfectly fine to enter the second factor. Limiting this greatly reduces the effectiveness of 2FA.

Having said all that. This could indeed be handled by a cookie with a token that has a counter part on the server.
So if anybody wants to work on this, feel free to shoot in a PR.
For a quick fix you could chose to implement this as a 2FA provider.

Just to be clear, this is an accepted (by the industry) and perfectly valid solution that does not lessen security at all. A lot of 2fa solutions only show the 2fa part, when switching IPs, switching browsers, ....

I mean if someone checks the box on a public computer, it's their own fault. It's the same thing as using a private key without a passphrase. It is not a good idea, but you can set an empty passphrase nonetheless. There's no cure for stupidity and it's not your job to educate people how security works.

also some people with 2fa may prefer at least entering their pw once every half eternity rather than staying fully open or having to full 2FA all the time.

So everyone agrees this is a nice feature and if somebody wants to do it, @rullzer even gave a hint as to how to do it. Let me lock this issue before 500 other people add their "yes I like it too" comments, as those aren't really useful ;-)

Remember, features like these get developed if either somebody steps up and simply does it or there is customer demand from Nextcloud GmbH customers.

Note that, if you 'just' want to make logging in with 2FA easier, at least adding the Nextcloud Notification 2FA app helps, as users don't have to enter any codes, just approve the login from another device (mobile, web or desktop client).