[Mandatory 2FA] Spec: Admin 2FA support provider

[ChristophWurst]

Mandatory 2FA in Nextcloud 15

Overview/progress board: https://github.com/orgs/nextcloud/projects/17

🚀

---

Specification: Admin 2FA support provider

For Nextcloud 15, we want to have a clean, secure and less error-prone way to help admins in unlocking user accounts where users lost access to one of their second factors. This should make both admins and users happy.

Overview

This will be a new 2FA provider where you have to enter a code (number?) on the second factor page. It will be registered like any other provider and could therefore be used as an alternative (no access to other factors) or singular second factor (2FA enforced, no other login allowed).

The app could be either just enabled by default or enabled on demand (when admins generate a code, disabled after successful code usage).

Admin interface

The admin should have an interface where they can enter a username. If the username is valid, the system shall generate and display a new code. The admin tells the user the code (via an undefined channel, e.g. telephone). Note: The admin does not have to wait for the user to log in.

This could be added to the admin 2FA settings section as well as an occ command (ref #11019).

Open questions

• Should the code be temporary/time-based? Yes -> [Mandatory 2FA] Spec: Admin 2FA support provider #11020 (comment)
• Should admins see users for which codes have been generated? E.g. to delete outdated ones. -> Not necessary if codes expire [Mandatory 2FA] Spec: Admin 2FA support provider #11020 (comment)
• Should we add an option for admins to send out the code via email? Might make the admin UX better, but could be problematic in terms of security. No -> [Mandatory 2FA] Spec: Admin 2FA support provider #11020 (comment)

[rullzer]

Basically #9643 but lets track it here.

[ChristophWurst]

Oh, I'm sorry, totally forgot we already had a ticket for this.

[ChristophWurst]

@rullzer should the admin provider be a separate app or shall we include this in the server (repo) just like the backup codes provider?

[ChristophWurst]

Started development at https://github.com/ChristophWurst/twofactor_admin.

[ChristophWurst]

First working version can be found at nextcloud/twofactor_admin@6952db2.

[rullzer]

Should the code be temporary/time-based?

Yes. I mean we could just use TOTP with a code that is valid for 30 or 60 minutes.

Should admins see users for which codes have been generated? E.g. to delete outdated ones.

Not required if the time is limited IMO.

Should we add an option for admins to send out the code via email? Might make the admin UX better, but could be problematic in terms of security.

Nah. You have to contact your admin anyways. For e-mail we can have a different provider if they want.
I vote to keep it simple for now. We can extend later if needed.

[ChristophWurst]

Yes. I mean we could just use TOTP with a code that is valid for 30 or 60 minutes.

Fine except that we'd have to use a different lib as the totp https://github.com/nextcloud/twofactor_totp/blob/ef7616ef25d6b52b455365af3188723ddd3911d9/composer.json#L3 app to prevent a dependency hell, which is kind of 💩

I'd go for a simple timestamp-based implementation.

[rullzer]

That would also work of course.