Interface to configure 2FA for users/groups (aka forcing/require 2FA)

[boppy]

DISCUSSION
There are some discussions (see references) on "forced 2FA" inside the TOTP-2FA-Repo that should be continued here in "core".

What's it about?

There should be a GUI (with some backend logic) to...

1. Force a user/group to do 2FA
2. Reset a forced-2FA (~= occ twofactor:disable user)
3. Get your 2FA code(s) at first login (just like the first-run-wizard, but not to be canceled)
   1. Problem: You sould not really been logged in. You should stay in a state where you cannnot access files (nor admin) before having at least one 2FA being set up.
   2. In my PR (regarding TOTP) I just echoed the QR to get scanned by the user.
   3. There might be a better place since that might not be suitable (nor possible) for other 2FA.

Ideas and discussions

My initial idea on that is to provide a table (just like user admin) with a list of all configured 2FA endpoints like so:

I made a gist with the (very-early-super-basic) idea of the GUI.

@GitHubUser4234 (correctly) objected that the force-state I was thinking about can be skipped if there is a checkbox like "force" for an entity.

More Ideas

@ChristophWurst wrote

to me, the grid view looks complex and overwhelming. Also I'm worried about real-world setups where you have thousands of users and numerous groups. The grid would be really long then.

No, it should not. The list will only contain entities that differ from the default state.

• The GUI might be an exact copy of the user admin GUI - only with title's rotated by 90° to keep a nice look for multiple 2FAs. And the left panel showing "All", "Users", and "Groups".
• Might be a good idea to provide an input for a username in admin to get the real config for a user (since there is a defaul conf, 0-n group confs and the user config itself; see below).
• Perhaps there should also be an admin interface to see the enabled 2FA for a user.
• About inheritance: It should be discussed how that should work (can a factor once beeing denied been reactivated? How about more than one group?). I would prefer a simple top-down inheritance but since we can have multiple groups for one user a simple "user overrides group overrides default" will not work. Might be suitable to get the strictest rule (that might contain configs from multiple groups).

References

• Issue my PR is based on
• My PR with implementation of basic forced-2fa
• Another discussion (in core) about enhancing 2fa
• My gist with interface and an idea on the data-exchange structure (close-to-be-JSON)

---

What do you think? ;)

[ChristophWurst]

cc @nextcloud/designers

[urkle]

(from my comment in #41)
What I would like to see is a way to see which users in the system have enabled 2FA..
Overall IMHO an implementation of "Required 2FA" would be

• that I can easily see which users have 2FA enabled
  • this allows a manager to check who does not have it enabled and pester them until they do.
• make it so that once they enable 2FA they can not disable it.
  • either globally or by group. That is a group can be set to "allow 2fa" or "require 2fa". If a user belongs to any group that "require 2fa" then they can not unset 2fa once enabled.

[SPeedYdr]

The ideas above are just the perfect recipe for what am looking for;
But it looks like it may take a while to accomplish it all, the more immediate need is the ability to be able to force 2FA and be able to check which users have it enable/disable. In the initial enable process a Temp one time password key could be generated for the user with option to automatically redirect them to their "personal page" from where they can complete the 2FA setup.

[stobias123]

This is a blocker issue for adoption at my company. If I can't require 2FA for all users, then we cannot use the product. I've tried to use sudo -u apache ./occ twofactor:enable as a workaround, but even that doesn't seem to work.

Any ETA on when this might be implemented?

[enoch85]

Agree with @stobias123 This would make Nextcloud soo much better for enterprise users.

Design wise;

1. User logs in with the generated/given password.
2. The user gets prompted to download Google Authenticator, Authy or similar and is also given a QR Code to scan
3. User scans the code
4. Stuff are saved in DB and verified
5. User gets logged in and are presented with the First Run Wizard as normal.

[conorsch]

Glad y'all are working on this! It's great to have 2FA as an option, but as an admin, the ability to force 2FA is a requirement—otherwise I spend too much time chasing down users and telling them to opt-in. If folks can cheat, they'll cheat.

A simple "force" checkbox on the the plugin config page would satisfy my needs—I don't plan to allow users to opt-out of 2FA once it's enabled instance-wide.

[LukasReschke]

Agree with @stobias123 This would make Nextcloud soo much better for enterprise users.

Who also have the option to go to https://nextcloud.com/enterprise/ to see the development actually speed up here 😉

[Espina2]

I can help in the design stuff if needed.

[LukasReschke]

Also note that not all actions may be available, so for some factors self-enrolling may not be available or resetting the token may not be available. This also needs to be kinda reflected in the UI.

[LukasReschke]

Also you may have hundreds of thousands of users so a search and paging should work etc… :-/

[jancborchardt]

It seems that it would best be integrated in the Users management directly, right? There you directly have the groups and users, can manage defaults and exceptions. cc @LukasReschke

[jospoortvliet]

What I would propose for the UI is to keep it much simpler. Right now, each of the 2FA techs is a separate app, right? TOTP and U2F at least. So you don't have to decide WHAT 2FA is enforced or allowed: the ones that are are installed, simple. For that 1 in a million use case where you want a different 2FA support for one group than for another (why on earth?) - built a custom app please 🌷

So then the admin UI is simply "enforce 2FA" and then the user can use any of the 2FA solutions that are installed.

The UI for enabling 2FA doesn't have to be done at the login screen, that creates the problem of having to maintain two interfaces. Better redirect the user to the login screen with the 2FA authentication whenever he/she logs in and bother him/her hard enough to enable it. Think about hiding the app bar with CSS, perhaps disabling file syncing if that's relatively easy.

Sure, the user can work around it but if they HATE their IT department that much that they want to avoid enabling 2FA at all cost (including having to edit CSS and live with no file access) well - I'd say they deserve and can have it 💛

This is less work, less maintenance AND much simpler. Am I right, @boppy ?

[jakimfett]

Suggestion.

While these subsystems are getting reshuffled, make it intentionally multifactor auth, with an enable/disable option per-each, and a counter-with-max of 2-or-sum-of-enabled for "how many minimum required".

[ghost]

What I would propose for the UI is to keep it much simpler.

I second that.

From the user point of view, the default should be as simple as Activate 2FA, yes/no and they it displays a TOTP qrcode that can be scanned from FreeOTP or Google Authenticator. That will work for everyone.

If other 2FA need to be implemented, they can be at a later time.

[ChristophWurst]

I've started planning this feature. Please see the overview board at https://github.com/orgs/nextcloud/projects/17 and the linked tickets targeting specific aspects of enforced 2FA. People who have helpful insights on these topics, please feel free to add your comments and provide feedback to the specs outlined in individual tickets.

[fireheadman]

Hello,
I ended up upgrading (fresh install) to v14.x this weekend and ran across the "Official" 2FA app/module and got excited! I see this has been in the works for a while and just wanted to get a feel as to when it might be ready and working?

I created a test user that is not currently in a group (have the 2FA with default "no group unchecked")
Logging into a web browser (firefox), 2FA box is not checked... so I would assume "Disabled".
Running the cmds below I attempted to enable it. When I logged back in to the browser session it was still unchecked (disabled). I even restarted services.

[root@nextcloud nextcloud 271]# su -m www -c 'php /usr/local/www/nextcloud/occ twofactorauth:disable testuser'
Two-factor authentication disabled for user testuser
[root@nextcloud nextcloud 272]# su -m www -c 'php /usr/local/www/nextcloud/occ twofactorauth:enable testuser'
Two-factor authentication enabled for user testuser
[root@nextcloud nextcloud 273]# su -m www -c 'php /usr/local/www/nextcloud/occ twofactorauth:state testuser'
Two-factor authentication is not enabled for user testuser

Disabled providers:
- backup_codes
- totp

From the output, the "enable" cmd looks like it does the job, but the "state" cmd output says otherwise.

Hoping to force enable all users via CLI.

[rullzer]

@fireheadman you'll need to wait till version 15. There you can enforce 2FA for all users / groups.

[rullzer]

Also lets close this ticket as it is done in 15

[zzx999]

in nextcloud 15 from snap, to make this app work , you would want (or should I say must) to execute this with nextcloud.mysq-client:
ALTER TABLE oc_twofactor_admin_codes MODIFY COLUMN id bigint AUTO_INCREMENT;

Otherwise it will error out with SQLSTATE[HY000]: General error: 1364 Field 'id' doesn't have a default value.

As it uses sql statement without altering record id...

[kesselb]

@zzx999 nextcloud/twofactor_admin#20

[ChristophWurst]

Please file new tickets for bugs.

I'm locking this issue as resolved.