-
-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Mandatory 2FA] Spec: Admin 2FA support provider #11020
Comments
Basically #9643 but lets track it here. |
Oh, I'm sorry, totally forgot we already had a ticket for this. |
@rullzer should the admin provider be a separate app or shall we include this in the server (repo) just like the backup codes provider? |
Started development at https://github.com/ChristophWurst/twofactor_admin. |
First working version can be found at nextcloud/twofactor_admin@6952db2. |
Yes. I mean we could just use TOTP with a code that is valid for 30 or 60 minutes.
Not required if the time is limited IMO.
Nah. You have to contact your admin anyways. For e-mail we can have a different provider if they want. |
Fine except that we'd have to use a different lib as the totp https://github.com/nextcloud/twofactor_totp/blob/ef7616ef25d6b52b455365af3188723ddd3911d9/composer.json#L3 app to prevent a dependency hell, which is kind of 馃挬 I'd go for a simple timestamp-based implementation. |
That would also work of course. |
Mandatory 2FA in Nextcloud 15
Overview/progress board: https://github.com/orgs/nextcloud/projects/17
馃殌
Specification: Admin 2FA support provider
For Nextcloud 15, we want to have a clean, secure and less error-prone way to help admins in unlocking user accounts where users lost access to one of their second factors. This should make both admins and users happy.
Overview
This will be a new 2FA provider where you have to enter a code (number?) on the second factor page. It will be registered like any other provider and could therefore be used as an alternative (no access to other factors) or singular second factor (2FA enforced, no other login allowed).
The app could be either just enabled by default or enabled on demand (when admins generate a code, disabled after successful code usage).
Admin interface
The admin should have an interface where they can enter a username. If the username is valid, the system shall generate and display a new code. The admin tells the user the code (via an undefined channel, e.g. telephone). Note: The admin does not have to wait for the user to log in.
This could be added to the admin 2FA settings section as well as an occ command (ref #11019).
Open questions
The text was updated successfully, but these errors were encountered: