Login a bit awkward when TOTP plus backup codes are used


Hello. I just managed to get 2FA working tonight. It works well. But there is one detail that is a bit awkward imho, if I create backup codes.

  1. Activate TOTP
  2. Generate One-time Backup Code
  3. Login with web interface

I expect to enter my username and password, then get prompted for a 2FA code.

Instead, an intermediate screen asks if I want to enter a 2FA code or a recovery code. I have to click on a choice to proceed. But why? 2FA codes are decimal numeric. Recovery codes are hex. Should be able to look at them and decide what needs to be done. It’s not any bigger a security risk - everyone knows that 2FA codes are in most cases 6-digit decimal numerics so it’s no more risky to make that decision after the user enters the information is it?

twofactor_totp and twofactor_backup_codes are two different 2FA providers independent from each others. 2FA options of ownCloud can be extended with more 2FA apps installed to server. Even you can implement multi twofactor options together in the same app, in this way it can work like you expect. I guess, you can find this kind of 2FA providers implemented by community in ownCloud’s marketplace.

But, deciding which provider should be used based on input format creates coupling between 2FA apps and harms its extendability. IMO, to keep its genericity and freedom, the current way is acceptable.

1 Like