Force generation of 2FA backup codes when enabling 2FA

[Framartin]

Now, a user who didn't read the documentation, can enable 2FA without generating his 2FA backup codes. The problem is that if he loose its 2nd factor, the admin sys have to deal between deactivate manually the 2FA for the user (and then 2FA becomes useless), or making the user sad.

A solution can be to not offer the possibility of activating 2FA if the backup codes aren't generated. Or just print a big warning message.

[ChristophWurst]

Now, a user who didn't read the documentation, can enable 2FA without generating his 2FA backup codes. The problem is that if he loose its 2nd factor, the admin sys have to deal between deactivate manually the 2FA for the user (and then 2FA becomes useless), or making the user sad.

So what about users that are warned but don't actually care about saving/printing backup codes? Or saving them somewhere they cannot find them when they need them. There is no way of ensuring that all users will ever use the software right. We can of course add big warnings, but I'm pretty sure most people won't read it, just like they don't read the documentation 🙊

@jancborchardt ideas/thoughts? :-)

[jancborchardt]

How do other platforms do this?

Possible design:
When enabling 2FA, the backup codes should be shown directly. With a short notice they should be backed up if you lose your second factor or whatnot – and a direct download button and print button. Also a button like »Ok I backed them up, hide them now«. The backup codes should be shown as long as that button hasn’t been clicked, even across page refreshes. That would ensure people saved or at least acknowledged the codes.

Does that make sense?

[tflidd]

I think there should be this manual backup code, and the procedure @jancborchardt sounds good.

Other or additional way would be to have a third factor (as backup for the 2FA), via SMS, ... Google let's you use a U2F-device and also SMS as backup.

[r2evans]

2FA over SMS has been officially deprecated by NIST ("5.1.3.2. Out-of-Band Verifiers"). Whether or not you trust NIST as a diviner of security standards, the reasoning is sound in my opinion. Since you are pushing 2FA for security, perhaps it would be more time-efficient to not add a deprecated security feature up-front. (I realize I'm offering a "problem" without any "solution", sorry for that.)

[nursoda]

I vote to have a FLOW:
(TOTP disabled, user does not see Backup codes(!) config item )

• user enables TOTP
• user is asked to verify
• backup codes are generated and displayed, user is shown some short info "why I should copy this to a safe place now" and given typical options to "share" his backup codes.
• only after user acknowledges this last screen, TOTP is enabled.

Reasoning: At the moment it is possible to lock out. If that happens to the only admin (why ever), this is evil. App/System should be robust.

[ChristophWurst]

@nursoda thanks for your feedback, very much appreciated. A first step towards this enhanced flow is the key verification while enabling TOTP: #156

[GoetheG]

The way I see it it's mandatory to have a secure cloud. Nextcloud can only become a real alternative to Dropbox and other sotrages if it'll offer secure and easy to use functions. Therefore I hope that you find a proper solution for the problem here and also #41

I'd like to add that I am very thankful to the Nextcloud contributors, helpers and core developers like @ChristophWurst. Your work and participation is not unseen and very appreciated.

[r2evans]

@GoetheG, there's a distinct difference between "secure cloud" and the two additional features you've referenced. This one, "automatic backup codes", adds zero security: it adds convenience and safety to the user, but when a user loses their 2FA, the cloud is still very much secure.

("Mandatory 2FA" ala #41 is definitely mostly about some security, I agree. However, it can be somewhat approximated by manual labor for the administrator. If you want uber-convenience and/or are using this on a larger/enterprise scale, then an enterprise license and accompanying support contract are in order.)

[GoetheG]

@r2evans We’re on the same page here. But I am no coder and Nextcloud still does not have the success of Dropbox. The way I see it, Nextcloud should be very secure, open source, easy to install, easy to update and also full of exciting features. Otherwise, what’s the point?

It’s clear to me that there is no way to build an absolutely secure cloud. But forcing users to use 2-factor-authentication is one step towards more security. It does not necessarily have to be the current 2-factor-authentication solution. But that is one more step that could prevent unwanted access. Even if that step is not the most secure one. This would stop some of the guys trying to “guess” the password. And please don’t give me a speech about password security. That it not the point here.

I don’t get it. Every time I name a thing I whish Nextcloud should have, there are people telling me that there is no total security. Those comments make we wonder whether the Nextcloud community is even interested in the opitions from non-tech guys like me. I mean, we do not have your computer science backgroup and just name the things we like, we dislike and we wish for the future. Buy we are thr people using this piece of software. If you won’t convince us, your software won’t be used by the big masses. Just take a look at Linux for desktop computers...

[ChristophWurst]

But I am no coder and Nextcloud still does not have the success of Dropbox. The way I see it, Nextcloud should be very secure, open source, easy to install, easy to update and also full of exciting features. Otherwise, what’s the point?

Believe it or not but we're actually working in that direction. However, this goal requires lots of work to accomplish and won't happen if just a handful of people work on it. Hence we appreciate everyone who contributes some time or money to the product to keep its development going.

Anyway, you might find https://github.com/orgs/nextcloud/projects/17 of interest for you. Input on any of the linked issues on the project board are welcome. I'll add a note that we should look into mandatory backup codes generation as well.

Thank you for your feedback.

[r2evans]

@GoetheG, I don't disagree that there are some features of Dropbox that are lacking in Nextcloud. This is not unexpected, in one sense, as (1) often some of these "obvious requirements" are not obvious at the beginning of the project; and (2) some things take time to refine. Though I really want NC (and OC) to have taken a slightly different tact years ago, hindsight is informative but not unflawed.

I apologize if I seemed to be preaching, that was not my intent and I am certainly not a renown expert in the field. I'm not certain what in my previous comment triggered the accusation, but so be it, I came across preach-y. The only thing really that I considered "preaching" about (not my intended words, but ...) is the fact that we can request or even "demand" certain features in the product, but unless/until we are paying customers, it all seems somewhat "false entitlement". If you are a paying customer (full disclosure: I am not), then my apologies, I assumed that support tickets like this would go through different channels. Again, I don't know, but I see a bunch of "give me this for free" and however I find the technical merit, I think the attitude might be a little mis-placed.

I agree that it might be frustrating that some things that you (and I) think are important for our vision have not been the priority for the actual NC team. One of us (me or the NC team) might be less wrong than the other, no doubt. But I am not the one to judge which is which.

[GoetheG]

@r2evans: Take a look at Nextcloud 15 :). It's integrated.

Thanks to everybody who helped regarding this topic! Great work!

[Framartin]

Great news! Thanks a lot to everybody involved.