Two Factor Authentication

kos · March 5, 2018, 3:08pm

Hello,

Does it any possibilities to set up 2FA using email instead of TOTP on owncloud 10?

If we enable 2FA TOTP module we can't use mobile version client - it seems there is no feature to enter code for authetification.

Kind regards,
Konstantin

dmitry · March 5, 2018, 3:36pm

Hi,

do you mean that if you enable TOTP - you can't login on your mobile device, for example an iPhone or a Samsung ?

kos · March 5, 2018, 3:44pm

Correct, on Iphone using next app:

There is an error while connection if I use TOTP: wrong password.

dmitry · March 5, 2018, 3:50pm

Okay, you need to install OAuth2 additionally to the TOTP

So in steps:

go in your owncloud to Market, and Install the OAuth2 app.

then install the 2-Factor Authentication app

then create a new user, and log in with him

go to settings and under personal - security

you have to activate the TOTP feature.

Then you have to scan the QR code with a TOTP App for example FreeOTP

then you have to enter the code.

Then you can log in with your username and password on a mobile device, enter your password, and then the code from your OTP app.

karakayasemi · March 5, 2018, 3:58pm

You can use app passwords for desktop and mobile clients when using two-factor authentication. See https://central.owncloud.org/t/access-forbidden-by-server-on-windows-desktop-client-application/10070/6

kos · March 5, 2018, 4:52pm

I've installed OAuth2 app, but while connection from iPhone I see error "Internal Server Error".
Can I use email to receive token for 2FA?

dmitry · March 5, 2018, 4:54pm

With this one - I don't think so. You should check out privacyidea

Edit: Unfortunately 2FA via E-Mail can't work with ownCloud. I am sorry.

karakayasemi · March 6, 2018, 9:10am

the ownCloud core supports multiple second-factor providers and twofactor_totp only provides totp as a second factor. There is an old repo for twofactor_email: https://github.com/owncloud/twofactor_email , but currently it is not maintaining, if you want, you can be a maintainer for it, I'm happy to help if you have any questions about it.

By the way, mobile and desktop clients do not support any kind of two-factor provider. As far as I understand, twofactor_email also does not solve your problem. If you want to use two-factor auth on your server, you should authenticate your clients via app passwords or oauth.

cornelinux · April 20, 2018, 10:03pm

@kos, you were wondering if you could send a one time password code to an email address. You can do this, as @dmitry mentioned with privacyidea. In ownCloud you need to install the privacyIDEA ownCloud App from the martketplace.

This privacyIDEA ownCloud App needs to talk to a (your) privacyIDEA server. Yes, you need to install the central authentication server privacyIDEA in your setup in addition.
But for this you get:

the administrator can define, who has to use which second factor!
many different tokens types for 2FA like: Smartphone App, hardware token, SMS, Email, Yuikey, U2F... and many more...

When you have done this, you can at least use app passwords as @karakayasemi mentioned.