Server: [Mandatory 2FA] Spec: Admin interface (settings page)
Mandatory 2FA in Nextcloud 15
Overview/progress board: https://github.com/orgs/nextcloud/projects/17
:rocket:
Specification: Admin interface
Description
Admins should have the possibility to set two-factor authentication as mandatory for parts of the instance users.
Details
There should be a new Two-Factor Authentication section in the admin security settings. A checkbox Enforce two-factor authentication activates the enforcement of user's 2FA.
Limit to groups
Similar to app settings, it should be possible to enforce 2FA just for a subset of users by specifying groups users have to be member in.
Open questions
- User back-ends that do not allow user enumeration, as in we cannot check if all users of a group have 2FA enabled or not. -> https://github.com/nextcloud/server/issues/11017#issuecomment-424458592
To-Do
- [x] Mockups
ChristophWurst
All 10 comments
It would be nice to restrict it to certain providers only. E.g. admins need a u2f 2fa and a normal user can use htop. This could be useful, because u2f is the stronger 2fa but needs a hardware device.
go2sh
on 3 Sep 2018
Good point, @go2sh.
Considering that all the 2FA providers admins install should be fairly secure, I'm not sure if that extra complexity is really adding much value.
I think I'd be okay with enabling specific providers for specific groups. Having a user-provider matrix as proposed in https://github.com/nextcloud/server/issues/2348#issue-191815667 is way too complex.
ChristophWurst
on 3 Sep 2018
I'd say we do baby steps. First enforcement. Then later on we can see about specific providers for groups etc.
rullzer
on 3 Sep 2018
I'd say we do baby steps. First enforcement.
Do you mean a general enforce for all users? I'd prefer to start with the option of enabling for all but also just for specific groups.
ChristophWurst
on 3 Sep 2018
@ChristophWurst mainly not to fancy stuff like provider X for group A and provider Y or Z for groups B etc. That will be a configuration night mare.
rullzer
on 3 Sep 2018
Considering that all the 2FA providers admins install should be fairly secure, I'm not sure if that extra complexity is really adding much value.
Thats not true. Nearly all 2FA mechanisms (HTOP, OTOP, SMS, etc) are prone to man-in-the-middle attacks except u2f, since it inserts the domain in the request, which the browser and the server can validate.
But I'am fine with baby steps as this is already an enhancement to security. It just should be considered for the future.
go2sh
on 3 Sep 2018
As a small suggestion for a nice to have feature. An indicator on the user page to show who has 2FA enabled
rullzer
on 4 Sep 2018
User back-ends that do not allow user enumeration, as in we cannot check if all users of a group have 2FA enabled or not.
well if the user backend doesn't support it then we are out of luck. Not much we can do to fix that.
rullzer
on 25 Sep 2018
Spec is done.
Implementation can be found in the following PRs
- Basic on/off: #11675
- Group-based enforced 2FA: #11765
ChristophWurst
on 12 Oct 2018
FYI: any further enhancement should be filed as regular feature request (ability to select which providers and such).
ChristophWurst
on 12 Oct 2018
Related issues
jancborchardt
路
3Comments
ghost
路
3Comments
ThomasLeister
路
3Comments
georgehrke
路
3Comments
williambargent
路
3Comments
Most helpful comment
As a small suggestion for a nice to have feature. An indicator on the user page to show who has 2FA enabled