Possible to disable two-factor when two-factor enforced

[LinAGKar]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Have an account on an instance with enforced two-factor auth
2. Disable TOTP
3. Try to log in

Expected behaviour

It should not be possible to disable two-factor auth when two-factor auth is enforced.

Actual behaviour

Two-factor is disabled without warning, and the user is locked out of their account unless they have a recovery key.

Server configuration

Operating system: OpenSUSE Leap 15.2

Web server: Nginx 1.19.6

Database: mariadb 10.5

PHP version: 7.4.13

Nextcloud version: 20.0.4

Updated from an older Nextcloud/ownCloud or fresh install: Upgraded

Where did you install Nextcloud from: Docker

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Enabled:

• accessibility: 1.6.0
• activity: 2.13.4
• bruteforcesettings: 2.0.1
• calendar: 2.1.2
• cloud_federation_api: 1.3.0
• comments: 1.10.0
• contacts: 3.4.2
• contactsinteraction: 1.1.0
• dashboard: 7.0.0
• dav: 1.16.2
• federatedfilesharing: 1.10.2
• federation: 1.10.1
• files: 1.15.0
• files_markdown: 2.3.1
• files_pdfviewer: 2.0.1
• files_rightclick: 0.17.0
• files_sharing: 1.12.1
• files_texteditor: 2.14.0
• files_trashbin: 1.10.1
• files_versions: 1.13.0
• files_videoplayer: 1.9.0
• firstrunwizard: 2.9.0
• logreader: 2.5.0
• lookup_server_connector: 1.8.0
• news: 15.1.0
• nextcloud_announcements: 1.9.0
• notes: 4.0.1
• notifications: 2.8.0
• oauth2: 1.8.0
• password_policy: 1.10.1
• photos: 1.2.1
• privacy: 1.4.0
• provisioning_api: 1.10.0
• recommendations: 0.8.0
• richdocuments: 3.7.11
• serverinfo: 1.10.0
• settings: 1.2.0
• sharebymail: 1.10.0
• support: 1.3.0
• survey_client: 1.8.0
• tasks: 0.13.6
• text: 3.1.0
• theming: 1.11.0
• twofactor_backupcodes: 1.9.0
• twofactor_totp: 5.0.0
• twofactor_u2f: 6.0.0
• updatenotification: 1.10.0
• user_status: 1.0.1
• viewer: 1.4.0
• weather_status: 1.0.0
• workflowengine: 2.2.0

Disabled:

• admin_audit
• encryption
• end_to_end_encryption
• files_external
• mail
• richdocumentscode
• social
• systemtags
• user_ldap

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost:8081",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "20.0.4.0",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "filelocking.enabled": true,
        "maintenance": false,
        "loglevel": 0,
        "theme": "",
        "mysql.utf8mb4": true,
        "overwriteprotocol": "https",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "mail_smtpauthtype": "PLAIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox

Operating system: OpenSUSE Tumbleweed

[kesselb]

cc @ChristophWurst @jancborchardt sounds good to me. If no backup codes are generated we should disable the option to disable two-factor.

[LinAGKar]

I would say even if the user has backup codes, they should get a warning before disabling TOTP.

[szaimen]

this sounds like a feature request to me