Hi, I just activated 2FA for my owncloud instance and it works just as expected (using Google Authenticator app).

I set up several app-specific passwords which also work fine. So I guess I have to thank you for the great work.

But I do have one little worry: What happens if I lose / destroy my phone so I cannot access the registered TOTP app anymore?

One thing is for sure: I cannot log in regularly via web interface to owncloud anymore. And probably I cannot change the login-system to "regular" from the owncloud app.

Is there a security fallback for such a case? Google provides a list of "backup-codes" which would work in such a case. So you have to know the username/password combination PLUS have such a backup code (which invalidates itself after one-time usage).

I would love to see such a fallback for emergency cases.

Is it possible to deactivate 2FA for the remote.php Interface?
I am using CardDAV and CalDAV on my iPhone and with 2FA activated i get
wrong password messages each time i want to access my calendar and contacts.

After disabling the 2fa for the user, it works again...

will help distinguish between different oc instances

@MorrisJobke will take care

Hello,

Since the last update to version 0.4.0, all new created QR codes are invalid (the key itself works well though). This error occurs with multiple authenticator applications and on multiple devices. If I encode the key manually, it works just fine.

I'm using ownCloud 9.1. I already tried to do the following:

• Uninstall/Reinstall the app
• Use it on another ownCloud instance
• Disable/Enable 2FA for that specific user
• Test with multiple users

Thanks.
Regards.

Gaétan

Hi,
would it be possible for the Administrator to show the QR code of the user? Our employees often fogret their secret...

sC

After enabling TOTP for a user account, the Linux desktop client is not able to login. Disabling TOTP resolved login issue.

Hi,

I have downloaded version 0.4.0 from appstore and unpacked in /var/www/owncloud/apps/twofactor_totp/

On my user page, I only see the headline. The language is Danish. I looked at the source of the page and I saw only this:
`

There are no errors in the log (set to include everything).

Is it my language, or am I missing some packages?

I run

• Ubuntu Server 14.04
• PHP 5.5.9-1ubuntu4.19
• ownCloud 9.1.0

Ok ... It seems that there is a bug with the QR-code since 0.4 😒 I've tested you PR ... but ... Yeah 😢

Invaild Barcode: otpauth://totp/[email protected]?secret=XXXXXXXXXX&issuer=http://cloud.domain.com/ (Nextcloud)" is no vaild barcode

Tested with Authy and Google Authentificator 😁 ... Manually typing in the secret works.

cc @ChristophWurst

It might be a good idea to verify a code before actually enabling TOTP authentication, to ensure that the user has a working TOTP generator. That way you can't accidentally lock yourself out.

I imagine there could be an additional new text field and button below the QR code in the settings when enabling it, so it would be something like

[x] Enable TOTP
This is your new TOTP secret: [secret]
Scan this QR code with your TOTP app:
[image: QR code]
+And enter the generated TOTP code:
+[text field] [button: "Enable TOTP"]

Pressing the button checks the entered code:
valid code -> enable TOTP, display "TOTP Enabled"
invalid code -> don't enable TOTP, display "Invalid TOTP code, please try again"

Hi,
Thanks a lot for the great work.
I am using your plugin with Google authenticator and is it working great. only problem I see is that when I login with username and password and it comes to the step where 2FA is presented. page keep refreshing after 6-8 seconds, that is not working well, can I somehow turn off this auto page refresh? I am slow with keyboard. sometimes it takes me a minute or even two struggling with 2FA, because before I can type the 2FA challenge code and login, page refreshes itself again and again.

So even though this app/plugin is something I like a lot, it is just like a buggy app I would somedaz like to see working as it should.

In terms of Security it (2FA page auto refresh) doesn't make any sense, because no other web/app (that uses 2FA) need that and they are all fine.

But still if you do think like that then please include a setting option to Enable/ Disable the auto refresh option.

Any ideas what could cause this,

e428476….js:982Uncaught TypeError: Cannot read property 'View' of undefined
Failed to parse SourceMap: https://xxx/assets/jquery.min.map;

...on personal profile page when app is enabled.

Hi,

I just installed NC 10 (migrated from my old OC 9.1) installation and installed your plugin there (using the app functionality of NC itself). The version downloaded is 0.4.1, but I am not getting asked for a second factor.

I activated TOTP for my admin user and after activation I can scan the created QR code (or copy the totp key to my password manager). However, after log out I am not asked for the second factor on login. It just gets me directly to my files after entering the username and password (no totp token is needed at all).

Is there something that I am missing? Do I need to activate the plugin in a second place (maybe activate by user AND in global settings (that I did not find))? What can I do to debug this issue??

Cheers,
Niko

If you lost your TOTP-device you are in trouble ... I think it would be nice, to have 2-3 codes you can print or write down to a piece of paper in case you cannot use TOTP. Google does this already:

https://support.google.com/accounts/answer/1187538?hl=en

If I wait a short while before entering my TOTP code, the app will refresh the HTML page. Thus losing half of what I typed. Why is the paged refreshed? I don't see any reason for doing that. Related to the TOTP verification window? You should probably use the time when the OTP was received as a basis for TOTP verification -- and accept 2-3 older OTPs too.

Hi there,

Please make it possible to make TOTP mandatory for groups and in general.

Thanks!

Hi,

I just finished upgrading my OC to v. 9.1 stable. I've installed TwoFactor TOTP from GitHub (I couldn't do it from the appstore inside OC because the version in info.xml was reportedly different than the one in the store).

When I go to Personal settings and click Enable TOTP nothing happens. I don't see a QR code or anything else. Tried both Chrome and Firefox, no Ad-blocking software enabled.

Ubuntu 14.04
PHP 5.6.23

What am I missing?

Thanks!

Core checks 2FA providers whether they are enabled for a specific users. However, this provider can not be instantiated as the alias for the ITotp interface is not registered already at that point. app.php, which creates the application class is loaded afterwards.

Hi,

it would be great if you could log failed two-factor authentication attempts to the standard ownCloud log file (data/owncloud.log). This way, it would be possible to lock IP addresses where too many failed attempts come from, and generally, one would have the possibility to detect that somebody stole the main password and is attempting to brute-force the TOTP.

Thank you
Thomas

Hello,

I am trying to set up two factor authentication with nextcloud. The download I have is from owncloud. But it looks like it will work with both. When I try and enable the app I get an error because it is looking for owncloud. 9.1 not nextcloud. Is there a different zip file that I need to make it work?

Thanks,
Chris

As mentioned on the OC app store thread for this app (and elsewhere), the OTP page keeps refreshing. Why does it it need to do this, and why is it so quick?

Edit: I'm on NC10, and @ChristophWurst states in #29 that NC10-11 have fixed this in terms of nextcloud/server#984... But it's still refreshing for me, and this was a clean-install.

Hi,

When NextCloud is configured with 'htaccess.RewriteBase' => '/' which will remove the index.php from the URL, the entry page for the second-factor code will continually refresh every few seconds.

Removing the rewrite will stop this behaviour and allow the verification page to remain on screen without refreshing but is obviously not ideal as the developers say that rewrite should have no adverse impact.

Now it is easy to disable TOTP by mistake -- would it be possible to make the user confirm this? Right now disabling two-factor requires you to re-enable it and scan a new QR code, and if you have loaded it on many devices, this can easily be cumbersome. Other service providers appear to require confirmation before allowing disabling of two-factor authentication.

I suggest asking for an OTP or the main password to disable the plugin.

Hi, Christoph.

I am having trouble with the Google Authenticator codes working with the TOTP plugin in my 9.1 Community Edition environment. Upon logging in, it asks me to provide the numeric code. I open the Google Auth app on my phone, generate a code and enter it. The TOTP login interface rejects it saying that "an error has occurred." I've tried three or four codes at a time and get the same message. I've never successfully two-factored into ownCloud with this plugin. Any idea what could be causing that?

Thanks,

-Josh

Why does it reload the page every 5 seconds when I'm typing in the code? It's quite annoying.

Hi,

I use Owncloud 9.1.1 and installed the two factor totp app which is working fine. However, the integrity check gives this error:

Results

• twofactor_totp
  • EXCEPTION
    • OC\IntegrityCheck\Exceptions\InvalidSignatureException
    • App Certificate is not valid.

Raw output

Array
(
[twofactor_totp] => Array
(
[EXCEPTION] => Array
(
[class] => OC\IntegrityCheck\Exceptions\InvalidSignatureException
[message] => App Certificate is not valid.
)

    )

)

Any idea? Is a new certificate needed?

Thanks for making this app but i still get some php errors in my admin console although its working.

Any clue as to how this can happen?

I am using the following setup:
Ubuntu 14.04.3 LTS
Owncloud 9.1.0

Error PHP Invalid argument supplied for foreach() at /var/www/owncloud/lib/private/Authentication/TwoFactorAuth/Manager.php#112 2016-07-21T12:30:01+00:00
Error PHP Undefined index: two-factor-providers at /var/www/owncloud/lib/private/Authentication/TwoFactorAuth/Manager.php#111 2016-07-21T12:30:01+00:00
Error PHP Invalid argument supplied for foreach() at /var/www/owncloud/lib/private/Authentication/TwoFactorAuth/Manager.php#112 2016-07-21T12:29:59+00:00
Error PHP Undefined index: two-factor-providers at /var/www/owncloud/lib/private/Authentication/TwoFactorAuth/Manager.php#111 2016-07-21T12:30:05+00:00
Error PHP Invalid argument supplied for foreach() at /var/www/owncloud/lib/private/Authentication/TwoFactorAuth/Manager.php#112

Dear,

First of all thanks for this great app, I'm currently using it with nextcloud 10.
I noticed something annoying :
As soon i've enter my login and pwd, i got the page for the twofactor auth. This one keeps reloading every 5-7 secondes.

Rgds

How would one manually restore access to an admin account protected by lost TOTP app? (In theory)
In other words: where is the "on/off switch" for twofactor_totp for a particular account in the NextCloud backend?

When using this app, you are not able to log in using any client software (including Nextclouds Android app). This limits Nextcloud to be used within the browser solely. Using a client shows you this (or something similar):

After disabling the app everything is back working and you can log in again.

Would it be possible to add a method to generate per-app passwords similar to Googles 2FA approach?

Thanks for improving the credential name. There might still be room for improvement though. In 0.4.0 the credential name looks like:

https://moln.sjd.se/owncloud/ (ownCloud):[email protected]/owncloud

Some other credentials I have look like this:

DigitalOcean:simon
Dropbox:[email protected]
github.com/jas4711
GitLab:[email protected]
Google:[email protected]
LinodeManager:[email protected]
RIPE NCC:[email protected]

While there appear to be no de-facto naming standard, it looks like a short keyword followed by colon followed by account info is "winning".

How about using the following naming scheme?

ownCloud: [email protected]/owncloud

Where obviously 'jas' is the username and 'moln.sjd.se' is the ownCloud server hostname, and '/owncloud' is the search path. Non-standard ports or non-https protocols is a complication, but maybe not worth worrying about? There is no way of knowing that port 443 and port 2382 on the same server doesn't go to the same ownCloud database anyway.

Don't know if this is Owncloud or plugin issue but page is refreshed every 5 sec and its hard to type the token with mobile devices.

Hello,

First of all - love your app! Been using it with OC 9.1 for a month now. Two things which I'm not really sure whether they're problem with the TOTP app or a core issue:

1. Would it be possible to add a check not to ask for a code again on that computer (i.e. "Remember computer")?
2. Can the TOTP field automatically appear after entering one's credentials (i.e. skip the select authentication page and go directly to the TOTP prompt)?

Thanks!

I didn't see this anywhere obvious, so if it is already available, ignore me :) But can we have a small set (say 3 or 5) backup codes that can be used in case the person does not have the ability to use their authentication app (ie., lost device)?

Hi,

I can get no authenticator app on iOS to "understand" the QR code generated by TOTP with Nextcloud 10.

I tried different apps, Google Authenticator, HDE OTP - everyone "reads" the QR, but says it has errors.
The generated secret is accepted by every of those apps, when entered manually.

So i tried the example QR on this site - and THAT worked. But as i see, there is much more encoded in the "newer" QR. The easy URL from the example is okay, the longer one can not be parsed by all apps it tested.

The old QR was type Weblink and like that scheme:
otpauth://totp/ownCloud/%20TOTP/secret=BLAHBLAHSECRET
That one is accepted by apps.

The new QR is type text and that scheme:
otpauth://totp/USERNAME@CloudURL/nextcloud?secret=BLAHBLAHSECRET&issuer=CLOUDURI
No way on any app tested.

May be an issue with the type of the QR ?

Hi Christoph,
i just installed nextcloud 10 beta (all-inkl.com, PHP 7.08, mysql, apache running on ubuntu) and tried to enable the totp-app using the repository of nextcloud 10 beta. Unfortunately it was not possible. So i had to download the TOTP from github and enabled the app successfully. But now the following errors occurs when trying to enable it for the current user:

The app is currently not usable.

{"reqId":"V5HUIFUNiiwAAHWLXYUAAAAC","remoteAddr":"193.30.37.163","app":"PHP","message":"include_once(\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/apps\/twofactor_totp\/appinfo\/..\/vendor\/autoload.php): failed to open stream: No such file or directory at \/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/apps\/twofactor_totp\/appinfo\/app.php#24","level":3,"time":"2016-07-22T10:06:56+02:00","method":"GET","url":"\/index.php\/settings\/admin\/log\/entries?offset=13&count=10","user":"cloudchef"} {"reqId":"V5HUIFUNiiwAAHWLXYUAAAAC","remoteAddr":"193.30.37.163","app":"PHP","message":"include_once(): Failed opening '\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/apps\/twofactor_totp\/appinfo\/..\/vendor\/autoload.php' for inclusion (include_path='\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/3rdparty\/pear\/console_getopt:\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/3rdparty\/pear\/pear_exception:\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/3rdparty\/pear\/pear-core-minimal\/src:\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/3rdparty\/pear\/archive_tar:\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/3rdparty\/phpseclib\/phpseclib\/phpseclib:\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/lib\/private:\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/config:\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/3rdparty:\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/apps:.:\/usr\/share\/php:..:\/www\/htdocs\/<anonymous>\/nc10.c-rieger.de') at \/www\/htdocs\/<anonymous>\/nc10.c-rieger.de\/apps\/twofactor_totp\/appinfo\/app.php#24","level":3,"time":"2016-07-22T10:06:56+02:00","method":"GET","url":"\/index.php\/settings\/admin\/log\/entries?offset=13&count=10","user":"cloudchef"}

If you are interested i can provide you an access to this nextcloud installation?

Cheers, Carsten

Does it make sense to move this repo into the ownCloud GitHub organization?

Yes, because…

• we might need it for Transifex? @DeepDiver1975

No, because…

• the more apps we move to the org, the slower Travis (and other services) becomes
• contributions are equally simple as the usual GitHub workflow (fork+PR) works and I can add individual people to this repo if necessary
• people think apps in the org are officially supported (by the Inc), which they mostly aren't. Same for this app (developed in my free time).

cc @PVince81 @DeepDiver1975 opinions/objections on leaving it as is?

It would be fantastic if TOTP checks if an alternate app is configured in ownCloud/nextcloud config als "default" app and redirects to it instead of an hardcoded redirect to the files app.

Thanks for your great work!

Ralf

Once this is in an usable state for end users, ask security experts to review/audit the code

Hi
I have installed TOTP from github package, turned on globally and sudo -u apache ./occ twofactorauth:enable for user. But when I go to personal setting I can't enable totp. Only blank area. What should I have to check ?

I guess we shouldn't have the QR code generated on an external service (especially Google) 🙈

@DeepDiver1975 can you add Transifex to this repo?

It would be nice if the user did not have to go through an extra step of clicking on "Authenticate with a TOTP app". Especially when there are only one button to click on.

Not sure if this can be fixed in this plugin or if it's part of Owncloud core.

I see this is using SHA1. Any plans for allowing SHA256 or SHA512 also?

First of all, a really good plugin, but I've got an Issue, when i try to Authenticate with my Google Authenticator Pin, the Page is reloading every 5 Seconds.

Installed Nextcloud Version: 10.0.0
Installed Plugin: 0.4.1

There is nothing in the nextcloud log the developer Tools console says

JQMIGRATE: Migrate is installed, version 1.4.0
jquery.min.js?v=ce3e4fa…:4GET https://xxxx/owncloud/ocs/v2.php/apps/notifications/api/v1/notifications?format=json 401 (Unauthorized)send @ jquery.min.js?v=ce3e4fa…:4ajax @ jquery.min.js?v=ce3e4fa…:4fetch @ app.js?v=ce3e4fa…:329initialFetch @ app.js?v=ce3e4fa…:146initialise @ app.js?v=ce3e4fa…:59(anonymous function) @ app.js?v=ce3e4fa…:384j @ jquery.min.js?v=ce3e4fa…:2fireWith @ jquery.min.js?v=ce3e4fa…:2ready @ jquery.min.js?v=ce3e4fa…:2I @ jquery.min.js?v=ce3e4fa…:2
Failed to parse SourceMap: https://xxxx/owncloud/core/vendor/jquery/dist/jquery.min.map

Regards,

Christian

TOTP is not working at all. I enabled TOTP but I dont see any settings in admin page. In my profile I see only this:

Only header with TOTP text and nothing there.

Using Google Authenticator displays the below error after entering verification code.

An error occured while verifying the token

OwnCloud throws below PHP error:

include_once(/var/www/html/owncloud/apps/twofactor_totp/appinfo../vendor/autoload.php): failed to open stream: No such file or directory at /var/www/html/owncloud/apps/twofactor_totp/appinfo/app.php#25

PHP Version: PHP 5.6.24
OS: CentOS Linux release 7.2.1511 (Core)
OwnCloud Version: 9.1.0 (stable)

Any help troubleshooting this would be greatly appreciated.