Interface to configure 2FA for users/groups (aka forcing/require 2FA)

[boppy]

DISCUSSION
There are some discussions (see references) on "forced 2FA" inside the TOTP-2FA-Repo that should be continued here in "core".

What's it about?

There should be a GUI (with some backend logic) to...

1. Force a user/group to do 2FA
2. Reset a forced-2FA (~= occ twofactor:disable user)
3. Get your 2FA code(s) at first login (just like the first-run-wizard, but not to be canceled)
   1. Problem: You sould not really been logged in. You should stay in a state where you cannnot access files (nor admin) before having at least one 2FA being set up.
   2. In my PR (regarding TOTP) I just echoed the QR to get scanned by the user.
   3. There might be a better place since that might not be suitable (nor possible) for other 2FA.

Ideas and discussions

My initial idea on that is to provide a table (just like user admin) with a list of all configured 2FA endpoints like so:

I made a gist with the (very-early-super-basic) idea of the GUI.

@GitHubUser4234 (correctly) objected that the force-state I was thinking about can be skipped if there is a checkbox like "force" for an entity.

More Ideas

@ChristophWurst wrote

to me, the grid view looks complex and overwhelming. Also I'm worried about real-world setups where you have thousands of users and numerous groups. The grid would be really long then.

No, it should not. The list will only contain entities that differ from the default state.

• The GUI might be an exact copy of the user admin GUI - only with title's rotated by 90° to keep a nice look for multiple 2FAs. And the left panel showing "All", "Users", and "Groups".
• Might be a good idea to provide an input for a username in admin to get the real config for a user (since there is a defaul conf, 0-n group confs and the user config itself; see below).
• Perhaps there should also be an admin interface to see the enabled 2FA for a user.
• About inheritance: It should be discussed how that should work (can a factor once beeing denied been reactivated? How about more than one group?). I would prefer a simple top-down inheritance but since we can have multiple groups for one user a simple "user overrides group overrides default" will not work. Might be suitable to get the strictest rule (that might contain configs from multiple groups).

References

• Issue my PR is based on
• My PR with implementation of basic forced-2fa
• Another discussion (in core) about enhancing 2fa
• My gist with interface and an idea on the data-exchange structure (close-to-be-JSON)

---

What do you think? ;)

[ChristophWurst]

cc @nextcloud/designers

[GitHubUser4234]

@ChristophWurst Would be great if you could somehow find the related guys to remind them to have a look at it, this PR is awesome!

[urkle]

(from my comment in #41)
What I would like to see is a way to see which users in the system have enabled 2FA..
Overall IMHO an implementation of "Required 2FA" would be

• that I can easily see which users have 2FA enabled
  • this allows a manager to check who does not have it enabled and pester them until they do.
• make it so that once they enable 2FA they can not disable it.
  • either globally or by group. That is a group can be set to "allow 2fa" or "require 2fa". If a user belongs to any group that "require 2fa" then they can not unset 2fa once enabled.

[SPeedYdr]

The ideas above are just the perfect recipe for what am looking for;
But it looks like it may take a while to accomplish it all, the more immediate need is the ability to be able to force 2FA and be able to check which users have it enable/disable. In the initial enable process a Temp one time password key could be generated for the user with option to automatically redirect them to their "personal page" from where they can complete the 2FA setup.

[stobias123]

This is a blocker issue for adoption at my company. If I can't require 2FA for all users, then we cannot use the product. I've tried to use sudo -u apache ./occ twofactor:enable as a workaround, but even that doesn't seem to work.

Any ETA on when this might be implemented?

[enoch85]

Agree with @stobias123 This would make Nextcloud soo much better for enterprise users.

Design wise;

1. User logs in with the generated/given password.
2. The user gets prompted to download Google Authenticator, Authy or similar and is also given a QR Code to scan
3. User scans the code
4. Stuff are saved in DB and verified
5. User gets logged in and are presented with the First Run Wizard as normal.

[conorsch]

Glad y'all are working on this! It's great to have 2FA as an option, but as an admin, the ability to force 2FA is a requirement—otherwise I spend too much time chasing down users and telling them to opt-in. If folks can cheat, they'll cheat.

A simple "force" checkbox on the the plugin config page would satisfy my needs—I don't plan to allow users to opt-out of 2FA once it's enabled instance-wide.

[LukasReschke]

Agree with @stobias123 This would make Nextcloud soo much better for enterprise users.

Who also have the option to go to https://nextcloud.com/enterprise/ to see the development actually speed up here 😉