Server: App passwords should be optional

Created on 24 Jan 2017 · 12Comments · Source: nextcloud/server

Hi,

There are environments where security measurements need to be enforced including limiting users to only login through WebUI using OTP (global OTP enforcement is an enhancement already in the works at #2348) and disallowing file access without OTP login through applications/desktop clients.

Similarly, environments might require to employ password policy which doesn't cover app passwords either and with stringent security requirements this might not be acceptable.

Therefore it would be great to have an option on the administration page to disable the app passwords feature completely, thanks ~

0. Needs triage enhancement stale

Source

GitHubUser4234

All 12 comments

cc @karlitschek @ChristophWurst @LukasReschke Does that make sense?

MorrisJobke on 24 Jan 2017

@ChristophWurst make any sense?

skjnldsv on 30 Apr 2019

nope. they are becoming more and more important in fact and the goal is to have all client connections use them.

ChristophWurst on 30 Apr 2019

👎1

@ChristophWurst : People including me are asking whether the request is making sense, but your answer does not touch any of the items mentioned in the request. Disappointed.

We to hack the code and remove app password related sections, and it became even more difficult after such logic appeared in the hard-to-maintain _vue-settings-personal-security.js_ .

GitHubUser4234 on 14 Jul 2020

Hiding the settings is security by obscurity at best. App passwords are an integral feature of the Nextcloud authentication system. Without those client connections would not be as secure. And some features like remote wipe would not be possible.

So this is not about answering questions. The request is simply against our goals, so this is a wontfix.

ChristophWurst on 14 Jul 2020

Phrases like "_client connections would not be as secure_" indicate that the request is not understood correctly, in fact the whole purpose of disabling app passwords is for security reasons!

To explain in other words:

In environments like ours where security has highest priority, 2FA is enforced for all users, for their own safety. Here a screenshot:

For the very same reason, users are under no circumstances allowed to skip 2FA, which they could by resorting to the app password function. Therefore, the function needs to be disabled in these cases.

Implementing such a switch should be pretty easy, adding one to config.php would suffice.

GitHubUser4234 on 15 Jul 2020

But how would you expect any clients to connect if they can't use app passwords?

ChristophWurst on 15 Jul 2020

They are not allowed to connect, it's that simple. If security is highest priority, the "Enforce two-factor authentication" flag is supposed to mean what it says, making it literally impossible to circumvent it in any way, also not by using clients / app passwords. Grateful if this could be done, thanks.

GitHubUser4234 on 15 Jul 2020

👀1

They are not allowed to connect, it's that simple. If security is highest priority, the "Enforce two-factor authentication" flag is supposed to mean what it says, making it literally impossible to circumvent it in any way, also not by using clients / app passwords. Grateful if this could be done, thanks.

Then listen for this event and delete the app passwords right when they are created: https://github.com/nextcloud/server/blob/5bf3d1bb384da56adbf205752be8f840aac3b0c5/core/Controller/AppPasswordController.php#L116

Because app passwords can only be created after you authenticated via 2FA and allows a single device to interact with the instance. In that way you can revoke access on a per device level, which is not possible with pure username password authentication without 2FA. So this is more secure and provides the needed security. But if you really want to mess around with that: feel free to do so - it's open source and you can install your own apps, that mess around with every detail.

MorrisJobke on 15 Jul 2020

Hi Morris,

Thanks for the reply.

Because app passwords can only be created after you authenticated via 2FA and allows a single device to interact with the instance. In that way you can revoke access on a per device level, which is not possible with pure username password authentication without 2FA. So this is more secure and provides the needed security

But this doesn't really sound convincing. This still leaves control to the users. Meaning they can use 2FA to enable a 1FA channel, undermining the safety concept that is intended by enforcing 2FA at all times. This might be negligible for the sake of convenience in some cases, but it might be a huge safety concern in others. That's why giving an option was proposed to cater for both situations.

GitHubUser4234 on 16 Jul 2020

But this doesn't really sound convincing. This still leaves control to the users. Meaning they can use 2FA to enable a 1FA channel, undermining the safety concept that is intended by enforcing 2FA at all times. This might be negligible for the sake of convenience in some cases, but it might be a huge safety concern in others. That's why giving an option was proposed to cater for both situations.

Still this will allow to basically make it only work via the web UI and render all clients (desktop and mobile apps as well as CalDAV and CardDAV, etc) useless. This is nothing we plan to add as a configuration option AFAIK. If you really want to have this feature, then hide the UI via CSS and the custom_css app and then delete all the generated app tokens via the above event in the moment they are created (if somebody wants to work around this).

MorrisJobke on 20 Jul 2020

I've to agree with GitHubUser4234. It would be good to have the possibility to disable app passwords at least in the webui. But if its not possible i guess i'll hide via CSS as well...