Can't get TOTP working on one account only

Server
1

Steps to reproduce

  1. login to account on self hosted owncloud with totp addon installed
  2. switch on TOTP fo account, scan QR code with Authenticator, confirm code, logout
  3. login again, provide password and TOTP is not requested

Expected behaviour

It should ask for 2FA code but it’s not happening

Actual behaviour

I’m not asked about 2FA code for this particular account only

Server configuration

Operating system:
Centos 7
Web server:
apache 2.4
Database:
mysql
PHP version:
7.3.29
ownCloud version: (see ownCloud admin page)
10.7.0.4
Updated from an older ownCloud or fresh install:
updated continuously since 2016
Where did you install ownCloud from:
owncloud repo
Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

No errors have been found.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Enabled:

  • activity:
    • Version: 2.6.0
    • Path: /var/www/html/owncloud/apps/activity
  • bookmarks:
    • Version: 0.10.6
    • Path: /var/www/html/owncloud/apps/bookmarks
  • brute_force_protection:
    • Version: 1.1.0
    • Path: /var/www/html/owncloud/apps/brute_force_protection
  • comments:
    • Version: 0.3.0
    • Path: /var/www/html/owncloud/apps/comments
  • configreport:
    • Version: 0.2.0
    • Path: /var/www/html/owncloud/apps/configreport
  • customgroups:
    • Version: 0.6.2
    • Path: /var/www/html/owncloud/apps/customgroups
  • dav:
    • Version: 0.6.0
    • Path: /var/www/html/owncloud/apps/dav
  • federatedfilesharing:
    • Version: 0.5.0
    • Path: /var/www/html/owncloud/apps/federatedfilesharing
  • federation:
    • Version: 0.1.0
    • Path: /var/www/html/owncloud/apps/federation
  • files:
    • Version: 1.5.2
    • Path: /var/www/html/owncloud/apps/files
  • files_external:
    • Version: 0.7.1
    • Path: /var/www/html/owncloud/apps/files_external
  • files_external_ftp:
    • Version: 0.2.1
    • Path: /var/www/html/owncloud/apps/files_external_ftp
  • files_mediaviewer:
    • Version: 1.0.4
    • Path: /var/www/html/owncloud/apps/files_mediaviewer
  • files_pdfviewer:
    • Version: 0.12.1
    • Path: /var/www/html/owncloud/apps/files_pdfviewer
  • files_sharing:
    • Version: 0.14.0
    • Path: /var/www/html/owncloud/apps/files_sharing
  • files_texteditor:
    • Version: 2.3.1
    • Path: /var/www/html/owncloud/apps/files_texteditor
  • files_trashbin:
    • Version: 0.9.1
    • Path: /var/www/html/owncloud/apps/files_trashbin
  • files_versions:
    • Version: 1.3.0
    • Path: /var/www/html/owncloud/apps/files_versions
  • firstrunwizard:
    • Version: 1.2.0
    • Path: /var/www/html/owncloud/apps/firstrunwizard
  • guests:
    • Version: 0.9.1
    • Path: /var/www/html/owncloud/apps/guests
  • impersonate:
    • Version: 0.5.0
    • Path: /var/www/html/owncloud/apps/impersonate
  • market:
    • Version: 0.6.1
    • Path: /var/www/html/owncloud/apps/market
  • notifications:
    • Version: 0.5.2
    • Path: /var/www/html/owncloud/apps/notifications
  • oauth2:
    • Version: 0.4.4
    • Path: /var/www/html/owncloud/apps/oauth2
  • password_policy:
    • Version: 2.1.2
    • Path: /var/www/html/owncloud/apps/password_policy
  • provisioning_api:
    • Version: 0.5.0
    • Path: /var/www/html/owncloud/apps/provisioning_api
  • systemtags:
    • Version: 0.3.0
    • Path: /var/www/html/owncloud/apps/systemtags
  • twofactor_totp:
    • Version: 0.7.2
    • Path: /var/www/html/owncloud/apps/twofactor_totp
  • updatenotification:
    • Version: 0.2.1
    • Path: /var/www/html/owncloud/apps/updatenotification
  • user_external:
    • Version: 0.6.0
    • Path: /var/www/html/owncloud/apps/user_external
      Disabled:
  • admin_audit:
    • Path: /var/www/html/owncloud/apps/admin_audit
  • announcementcenter:
    • Path: /var/www/html/owncloud/apps/announcementcenter
  • calendar:
    • Path: /var/www/html/owncloud/apps/calendar
  • encryption:
    • Path: /var/www/html/owncloud/apps/encryption
  • enterprise_key:
    • Path: /var/www/html/owncloud/apps/enterprise_key
  • external:
    • Path: /var/www/html/owncloud/apps/external
  • files_antivirus:
    • Path: /var/www/html/owncloud/apps/files_antivirus
  • files_classifier:
    • Path: /var/www/html/owncloud/apps/files_classifier
  • files_external_dropbox:
    • Path: /var/www/html/owncloud/apps/files_external_dropbox
  • files_ldap_home:
    • Path: /var/www/html/owncloud/apps/files_ldap_home
  • files_lifecycle:
    • Path: /var/www/html/owncloud/apps/files_lifecycle
  • firewall:
    • Path: /var/www/html/owncloud/apps/firewall
  • gallery:
    • Path: /var/www/html/owncloud/apps/gallery
  • graphapi:
    • Path: /var/www/html/owncloud/apps/graphapi
  • metrics:
    • Path: /var/www/html/owncloud/apps/metrics
  • openidconnect:
    • Path: /var/www/html/owncloud/apps/openidconnect
  • ownbackup:
    • Path: /var/www/html/owncloud/apps/ownbackup
  • ransomware_protection:
    • Path: /var/www/html/owncloud/apps/ransomware_protection
  • sharepoint:
    • Path: /var/www/html/owncloud/apps/sharepoint
  • systemtags_management:
    • Path: /var/www/html/owncloud/apps/systemtags_management
  • templateeditor:
    • Path: /var/www/html/owncloud/apps/templateeditor
  • theme-enterprise:
    • Path: /var/www/html/owncloud/apps/theme-enterprise
  • user_ldap:
    • Path: /var/www/html/owncloud/apps/user_ldap
  • user_shibboleth:
    • Path: /var/www/html/owncloud/apps/user_shibboleth
  • wopi:
    • Path: /var/www/html/owncloud/apps/wopi
  • workflow:
    • Path: /var/www/html/owncloud/apps/workflow

Are you using external storage, if yes which one: local/smb/sftp/…

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…

Client configuration

Browser:
Firefox, Chrome
Operating system:
macOS Big Sure

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...
2

What is different for this particular account?

3

Hi alfredb,
I’m afraid nothing is different.
I’ve got few accounts authenticating the same method on the same server.
I can’t figure out what’s the difference anyhow.
I tried to switch on/off TOTP couple of times but nothing changed.
TOTP seems to be switched on, verified and then I’m not asked to provide code when login.
it’s really strange.
What should I check more?

4

After the user logged in, without OTP request, is the checkbox Activate TOTP still checked? If no, then for unknown reasons, the users record in db-table oc_twofactor_totp_secrets seems to go away. I’d recommend to track down on this.
Check existence of the record…

  • …after successful verification.
  • …after user logged out.
  • …before next login.

Having an eye on the logs is never wrong.

Good luck!

5

Hi alfredb,
Checkbox Activate TOTP has valid state all the time - when is switched on is checked and when is switched off off is unchecked.
I tried to remove addon and reinstall it again but nothing has changed for this particular user.
Any other ideas?
Thanks!

6

Yes, but according to my theory, the app doesn’t find the users secret in the db, for unknown reasons. This is why I’d have a more in-depth look at the users record in table
oc_twofactor_totp_secrets.

7

I see.
There is one entry in this table for this particular user which is created on checking TOTP and destroyed when TOTP is off.
Maybe there is another entry in other tables marking this particular user as authorized already? Some session validation entry or?

8

According to the docs, you can disable the two-factor check for a particular user. Did you also try

sudo -u www-data php occ twofactor:enable <username>

1 Like
9

Thank you so much alfredb!
That’s it!
This did the trick!
For unknown reason it was disabled!
All the best!

2 Likes
10

Glad to hear it works.
To be honest, I was unaware that app until yesterday and I never used it. It was just for my personal curiosity, to learn something new and for trying to help. This might the reason, that I checked the db in the first place, instead of RTFM. :wink: Sorry!

2 Likes
11

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.