Nextcloud and Two-Factor Authentication

l3o commented

2023-02-18 14:24:17 +01:00

On my Disroot account on Nextcloud I had enabled (quite some time ago) a second authentication factor with Yubikey.
I had then generated an "app-password" to use with the nextcloud client.
Everything is still working properly, but when I try to log in to Nextcloud through the nextcloud web interface it will not allow me to use my Yubikey (see [1]). I then log in with the backup codes.
I then tried to disable the Two-Factor Authentication but as can be seen here [2] it does not appear to be active and therefore it is not possible to disable it.
I am therefore in the situation of no longer being able to access the nextcloud web interface using my Yubikey and at the same time not being able to disable Two-Factor Authentication.

On my Disroot account on Nextcloud I had enabled (quite some time ago) a second authentication factor with Yubikey. I had then generated an "app-password" to use with the nextcloud client. Everything is still working properly, but when I try to log in to Nextcloud through the nextcloud web interface it will not allow me to use my Yubikey (see [1]). I then log in with the backup codes. I then tried to disable the Two-Factor Authentication but as can be seen here [2] it does not appear to be active and therefore it is not possible to disable it. I am therefore in the situation of no longer being able to access the nextcloud web interface using my Yubikey and at the same time not being able to disable Two-Factor Authentication.

1.png

46 KiB

2.png

66 KiB

meaz added the

Urgent!

label 2023-02-18 14:32:15 +01:00

muppeth commented

2023-02-18 14:34:23 +01:00

Owner

Thanks for reporting. we were looking the other day for someone with Yubikey to test whether there is an issue or not. I will ping you later today to check things for me.

l3o commented

2023-02-18 15:25:34 +01:00

Author

Perfect, thanks muppeth! If I can then test and help me and my Yubikey are available;)

epidi commented

2023-02-20 16:53:09 +01:00

Affects me too,and I didn't generate backup codes because I have a backup Yubikey... (Stupid, but that's what I did.)

This is probably because of the deprecated Two-Factor U2F app, which I think is replaced by Two-Factor WebAuthn (the new app also supports U2F).

There is a migration flow at the end of this issue and discussion on Github. No idea how well it works, though. Would be nice to have 2F WebAuthn even if migration isn't feasible. (In that case the old U2F data probably needs to be removed from accounts.)

I'll also be happy to test things.

Affects me too,and I didn't generate backup codes because I have a backup Yubikey... (Stupid, but that's what I did.) This is probably because of the [deprecated Two-Factor U2F app](https://apps.nextcloud.com/apps/twofactor_u2f), which I think is replaced by [Two-Factor WebAuthn](https://apps.nextcloud.com/apps/twofactor_webauthn) (the new app also supports U2F). There is a migration flow at the end of [this issue and discussion on Github](https://github.com/nextcloud/twofactor_u2f/issues/947). No idea how well it works, though. Would be nice to have 2F WebAuthn even if migration isn't feasible. (In that case the old U2F data probably needs to be removed from accounts.) I'll also be happy to test things.

epidi commented

2023-02-20 17:01:13 +01:00

Also noticed that the readme for the old app has migration instructions.

Also noticed that the [readme for the old app](https://github.com/nextcloud/twofactor_webauthn) has migration instructions.

meaz commented

2023-02-20 17:11:21 +01:00

Owner

@muppeth I see that twofactor_u2f is disabled on prod.

@muppeth I see that `twofactor_u2f` is disabled on prod.

meaz referenced this issue

2023-02-22 10:50:02 +01:00

[Nextcloud] Two-factor authentication using WebAuthn #368

meaz referenced this issue

2023-02-22 11:03:34 +01:00

support Yubikeys as 2FA token for login #308

meaz added this to the 23.03 - March milestone 2023-02-25 08:45:00 +01:00

muppeth commented

2023-02-25 09:23:26 +01:00

Owner

@epidi @l3o can you test it now?

l3o commented

2023-02-25 10:00:37 +01:00

Author

Hi @muppeth I just checked but unfortunately the situation is the same as before. It asks for backup codes to log in and once logged in, it shows in nextcloud settings that no Two-Factor Authentication is enabled

epidi commented

2023-02-25 10:42:10 +01:00

Hi @muppeth, no change for me either. Login says

Could not load at least one of your enabled two-factor auth methods. Please contact your admin.
Two-factor authentication is enforced but has not been
configured on your account. Please continue to setup two-factor
authentication.
[Button: Set up two-factor authentication]

Clicking the button just loops back to the same message.

Hi @muppeth, no change for me either. Login says > Could not load at least one of your enabled two-factor auth methods. Please contact your admin. > Two-factor authentication is enforced but has not been > configured on your account. Please continue to setup two-factor > authentication. > [Button: Set up two-factor authentication] Clicking the button just loops back to the same message.

muppeth commented

2023-02-26 17:24:52 +01:00

Owner

I see. So basically the old way is deprecated and replaced by new one. I will check for possible migration path if one exist or otherwise disable 2fa from your accounts and test if new way from scratch works. Will keep you posted.

epidi commented

2023-02-26 17:37:53 +01:00

Yup, that's my impression too. Thanks for looking into this!

There is some information on migrating in #439 (comment) - no idea how good is is.

Removing 2fa from my account would be fin, if migration proves infeasible. If possible, I would still like to have the new Two-factor WebAuthn instead of the deprecated Two-Factor U2F so I can re-enable my security keys.

Yup, that's my impression too. Thanks for looking into this! There is some information on migrating in https://git.disroot.org/Disroot/Disroot-Project/issues/439#issuecomment-38391 - no idea how good is is. Removing 2fa from my account would be fin, if migration proves infeasible. If possible, I would still like to have the new Two-factor WebAuthn instead of the deprecated Two-Factor U2F so I can re-enable my security keys.

l3o commented

2023-02-27 14:13:11 +01:00

Author

Hi! Thanks for looking into this. It is ok for me too to disable the old authentication system. Then I will eventually configure the new Two-factor WebAuthn;)

epidi commented

2023-03-03 14:02:04 +01:00

Checked another Nextcloud instance, which seems to have migrated U2F to WebAuthn. I could register my keys just fine, however, the keys didn't end up as second factor. Instead I got passwordless login (user name + security key). A bit unexpected and I'm not sure that's the route I'd like to go.

OTOH, not being a Nextcloud admin, I may have misunderstood how things work. According to the comments on this issue for the new Two-Factor WebAuthn app, it may be a setting of Nextcloud proper and completely unrelated to the Two-factor app:

https://github.com/nextcloud/twofactor_webauthn/issues/43

Checked another Nextcloud instance, which seems to have migrated U2F to WebAuthn. I could register my keys just fine, however, the keys didn't end up as second factor. Instead I got passwordless login (user name + security key). A bit unexpected and I'm not sure that's the route I'd like to go. OTOH, not being a Nextcloud admin, I may have misunderstood how things work. According to the comments on this issue for the new Two-Factor WebAuthn app, it may be a setting of Nextcloud proper and completely unrelated to the Two-factor app: https://github.com/nextcloud/twofactor_webauthn/issues/43

meaz commented

2023-03-04 09:08:46 +01:00

Owner

@muppeth is that what you did?

# View options – you can run this for all or only specific users
php occ twofactor_webauthn:migrate-u2f --help

# Migrate all users
php occ twofactor_webauthn:migrate-u2f --all

# Disable the U2F app
php occ app:disable twofactor_u2f

# Clean up any U2F registrations
php occ twofactorauth:cleanup u2f

@muppeth is that what you did? ``` # View options – you can run this for all or only specific users php occ twofactor_webauthn:migrate-u2f --help # Migrate all users php occ twofactor_webauthn:migrate-u2f --all # Disable the U2F app php occ app:disable twofactor_u2f # Clean up any U2F registrations php occ twofactorauth:cleanup u2f ```

muppeth added this to the 23.03 - March project 2023-03-08 12:13:11 +01:00

muppeth self-assigned this 2023-03-08 12:21:57 +01:00

muppeth commented

2023-03-08 12:23:51 +01:00

Owner

@meaz I did not do migration yet. So will do them today. I was (as u know) properly busy the last days but I'm back. I just got ubikey from @epidi (thanks a lot mate) so will have something to test as well, though won't be able to test migration.

epidi commented

2023-03-17 10:09:32 +01:00

@muppeth you're welcome, hope it will help verifying that the new 2nd-factor app works, although it won't help with migration of the old U2F registration data. I think the former is more important, but migration would be nice too, of course.

epidi commented

2023-03-17 10:15:59 +01:00

Concerning my previous comment

...I got passwordless login (user name + security key)...

...it may be a setting of Nextcloud proper and completely unrelated to the Two-factor app

I have had a second look, my keys are definitely listed under Passwordless Authentication, not Two-Factor Authentication, so clearly unrelated to the new Two-Factor WebAuthn app. Should have checked that before spreading FUD.

Concerning my previous comment > ...I got passwordless login (user name + security key)... > > ...it may be a setting of Nextcloud proper and completely unrelated to the Two-factor app I have had a second look, my keys are definitely listed under **Passwordless Authentication**, not **Two-Factor Authentication**, so clearly unrelated to the new Two-Factor WebAuthn app. Should have checked that before spreading FUD.

muppeth commented

2023-03-23 00:40:08 +01:00

Owner

@l3o can you check if it works now?
Sorry for picking on this one so late, but I have finally migrated old u2f authentiactions.

@l3o can you check if it works now? Sorry for picking on this one so late, but I have finally migrated old u2f authentiactions.

muppeth commented

2023-03-23 00:43:47 +01:00

Owner

@epidi I finally tested with your ubikey and seems to be working fine.

muppeth added the

Ready

label 2023-03-23 00:44:37 +01:00

l3o commented

2023-03-23 08:14:55 +01:00

Author

@muppeth I tried it and I confirm that it works now! Thank you very much for the work!:)

epidi commented

2023-03-23 10:23:06 +01:00

@muppeth My previously registered U2F keys where lost, so migration failed one way or other, but that let me log in and add new keys.

All good, thanks a bunch for your work!

@muppeth My previously registered U2F keys where lost, so migration failed one way or other, but that let me log in and add new keys. All good, thanks a bunch for your work!

epidi commented

2023-03-23 10:32:50 +01:00

@epidi I finally tested with your ubikey and seems to be working fine.

Works as a second factor here at git.disroot.org too 🙂

> @epidi I finally tested with your ubikey and seems to be working fine. Works as a second factor here at git.disroot.org too 🙂

meaz commented

2023-03-24 19:20:59 +01:00

Owner

Ok good news! so I'm closing this.

meaz closed this issue

2023-03-24 19:20:59 +01:00

Nextcloud and Two-Factor Authentication #439