Delete or disable backup 2FA codes

[zippytiff]

@ChristophWurst thanks for the help here >> #6203 (comment)

i see you are the 2FA guy, so 2 questions

1. How do i delete backup codes ?

2. Can i disable backup codes from being created ?

3. How can i force 2FA and change password at 1st login (via both internal db and external ldap)

Thanks

ZT

[nextcloud-bot]

GitMate.io thinks possibly related issues are #9036 ([2FA] longevity of Backup-Codes), #3130 (After upgrade disable/enable 2fa generates a new code ), #1557 (2FA auth backup codes not removed on user deletion), #1108 (2FA: let users create and authenticate via backup codes), and #6636 (Automaitc Upgrade process - Disable backup).

[ChristophWurst]

How do i delete backup codes ?

You can't. And I see no point in being able to do it. If no 2FA provider is active, the Nextcloud server won't ask you for your codes anyway.

Can i disable backup codes from being created ?

Why would you want to do that? That's currently not possible.

How can i force 2FA and change password at 1st login (via both internal db and external ldap)

See #2348 and nextcloud/twofactor_totp#41.

[zippytiff]

Hi CW

Thanks for the reply

1. The reason for deleting is to increase the end-user security of the solution. I cannot trust users to look after their backup codes and would much rather they contacted admin if they lost their 2FA access for what ever reason. I would have expected that turning off 2FA in end user gui, would also clear out the existing codes etc

2. Reason for disabling, same as 1.

3. Thanks, so where does that mean things are at ? waiting for funding ?

Regards

ZT

[ChristophWurst]

Thanks, so where does that mean things are at ? waiting for funding ?

Please file a proper feature request (or update the original post and title) with detailed information of how this should work.

Yes, funding usually helps.

Thanks

[zippytiff]

Solved, via theming custom css app

/* HIDE Settings Two Factor Code Button */
div#twofactor-backupcodes-settings { display:none; }

[ChristophWurst]

Assuming this is resolved -> closing. Feel free to reopen if that's still an issue for you.

[fservida]

just dropping by because of: nextcloud/user_saml#284 and nextcloud/user_saml#339
I've tried zippytiff solution but does not work anymore, had to hide the whole 2fa section; feels like a hack anyway as users with a little knowledge (and those are the ones that might try to get around the SAML process with the "direct" link) can just enable the div and generate the codes.

All in all these solutions (enforce 2fa without 2fa methods and hiding backup codes, as well as using the webserver to block access to "direct=1") feel like hacks that should not be needed if once the SAML backend is activated there was the option to REALLY restrict login to the SAML backend, with the fallback in case of misconfiguration being disabling the app via occ.