-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Interface to configure 2FA for users/groups (aka forcing/require 2FA) #2348
Comments
cc @nextcloud/designers |
This comment has been minimized.
This comment has been minimized.
(from my comment in #41)
|
The ideas above are just the perfect recipe for what am looking for; |
This is a blocker issue for adoption at my company. If I can't require 2FA for all users, then we cannot use the product. I've tried to use Any ETA on when this might be implemented? |
Agree with @stobias123 This would make Nextcloud soo much better for enterprise users. Design wise;
|
Glad y'all are working on this! It's great to have 2FA as an option, but as an admin, the ability to force 2FA is a requirement—otherwise I spend too much time chasing down users and telling them to opt-in. If folks can cheat, they'll cheat. A simple "force" checkbox on the the plugin config page would satisfy my needs—I don't plan to allow users to opt-out of 2FA once it's enabled instance-wide. |
Who also have the option to go to https://nextcloud.com/enterprise/ to see the development actually speed up here 😉 |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I can help in the design stuff if needed. |
This comment has been minimized.
This comment has been minimized.
Also note that not all actions may be available, so for some factors self-enrolling may not be available or resetting the token may not be available. This also needs to be kinda reflected in the UI. |
Also you may have hundreds of thousands of users so a search and paging should work etc… :-/ |
This comment has been minimized.
This comment has been minimized.
It seems that it would best be integrated in the Users management directly, right? There you directly have the groups and users, can manage defaults and exceptions. cc @LukasReschke |
What I would propose for the UI is to keep it much simpler. Right now, each of the 2FA techs is a separate app, right? TOTP and U2F at least. So you don't have to decide WHAT 2FA is enforced or allowed: the ones that are are installed, simple. For that 1 in a million use case where you want a different 2FA support for one group than for another (why on earth?) - built a custom app please 🌷 So then the admin UI is simply "enforce 2FA" and then the user can use any of the 2FA solutions that are installed. The UI for enabling 2FA doesn't have to be done at the login screen, that creates the problem of having to maintain two interfaces. Better redirect the user to the login screen with the 2FA authentication whenever he/she logs in and bother him/her hard enough to enable it. Think about hiding the app bar with CSS, perhaps disabling file syncing if that's relatively easy. Sure, the user can work around it but if they HATE their IT department that much that they want to avoid enabling 2FA at all cost (including having to edit CSS and live with no file access) well - I'd say they deserve and can have it 💛 This is less work, less maintenance AND much simpler. Am I right, @boppy ? |
Suggestion. While these subsystems are getting reshuffled, make it intentionally multifactor auth, with an enable/disable option per-each, and a counter-with-max of 2-or-sum-of-enabled for "how many minimum required". |
I second that. From the user point of view, the default should be as simple as Activate 2FA, yes/no and they it displays a TOTP qrcode that can be scanned from FreeOTP or Google Authenticator. That will work for everyone. If other 2FA need to be implemented, they can be at a later time. |
This comment has been minimized.
This comment has been minimized.
I've started planning this feature. Please see the overview board at https://github.com/orgs/nextcloud/projects/17 and the linked tickets targeting specific aspects of enforced 2FA. People who have helpful insights on these topics, please feel free to add your comments and provide feedback to the specs outlined in individual tickets. |
Hello, I created a test user that is not currently in a group (have the 2FA with default "no group unchecked")
From the output, the "enable" cmd looks like it does the job, but the "state" cmd output says otherwise. Hoping to force enable all users via CLI. |
@fireheadman you'll need to wait till version 15. There you can enforce 2FA for all users / groups. |
Also lets close this ticket as it is done in 15 |
in nextcloud 15 from snap, to make this app work , you would want (or should I say must) to execute this with nextcloud.mysq-client: Otherwise it will error out with SQLSTATE[HY000]: General error: 1364 Field 'id' doesn't have a default value. As it uses sql statement without altering record id... |
Please file new tickets for bugs. I'm locking this issue as resolved. |
DISCUSSION
There are some discussions (see references) on "forced 2FA" inside the TOTP-2FA-Repo that should be continued here in "core".
What's it about?
There should be a GUI (with some backend logic) to...
Ideas and discussions
My initial idea on that is to provide a table (just like user admin) with a list of all configured 2FA endpoints like so:
I made a gist with the (very-early-super-basic) idea of the GUI.
@GitHubUser4234 (correctly) objected that the force-state I was thinking about can be skipped if there is a checkbox like "force" for an entity.
More Ideas
@ChristophWurst wrote
No, it should not. The list will only contain entities that differ from the default state.
References
What do you think? ;)
The text was updated successfully, but these errors were encountered: