Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbid password login on APIs if user is two-factor authenticated #24768

Closed
ChristophWurst opened this issue May 23, 2016 · 2 comments · Fixed by #24811
Closed

Forbid password login on APIs if user is two-factor authenticated #24768

ChristophWurst opened this issue May 23, 2016 · 2 comments · Fixed by #24811
Labels
1 - To develop security Type:Bug
Milestone
9.1

Comments

@ChristophWurst
Copy link
Contributor

Steps to reproduce

  1. Install 2FA app
  2. Access DAV/OCS whatever with username+password

Expected behaviour

Access should be forbidden unless the password is a token.

Actual behaviour

Login is successful.

ref #24559
@ChristophWurst ChristophWurst added this to the 9.1-current milestone May 23, 2016
@ChristophWurst ChristophWurst mentioned this issue May 23, 2016
Merged
12 tasks
@ChristophWurst
Copy link
Contributor Author

We should also warn users that they need to generate device specific passwords if clients are unable to connect or prompt for the password.

@ChristophWurst ChristophWurst mentioned this issue May 24, 2016
Merged
3 tasks
@lock
Copy link

lock bot commented Aug 4, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 4, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
1 - To develop security Type:Bug
Projects
None yet
Milestone
9.1
Development

Successfully merging a pull request may close this issue.

do not allow client password logins if token auth is enforced or 2FA … owncloud/core
1 participant
@ChristophWurst