Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce two-factor auth UX issues #12249

Closed
schiessle opened this issue Nov 4, 2018 · 8 comments
Closed

Enforce two-factor auth UX issues #12249

schiessle opened this issue Nov 4, 2018 · 8 comments
Assignees
@ChristophWurst
Labels
design Design, UI, UX, etc. enhancement
Milestone
Nextcloud 15

Comments

@schiessle
Copy link
Member

schiessle commented Nov 4, 2018
edited by ChristophWurst
Loading

It is really great that we have the possibility to enforce two factor auth with Nextcloud 15, thanks to everyone who made this happen!

I tested it last week with @MariusBluem and we found some (small) issues we want to document for improvements.

  1. I think the settings could need some more spacing, the "Limit to groups" part looks quite squeezed together:

image

Also it was not obvious to me what this settings mean. If I don't do anything, will it be enforced for everyone? What happens if I explicitly enforce it for groupA and not for groupB and a user is in both groups?

  1. Another thing which confuses me is that I can enforce two factor auth even if no single two factor out method is enabled. I think it would make sense to check that at least one is enabled (u2f, totp,...) and otherwise disable the checkbox. -> Warn/check if any 2FA provider is active before enforcing 2FA #12267

  2. OK, I enabled it now, logged out and tried to login again, which lead to this screen

image

As I'm the admin I'm now logged out.
Also I don't understand why I should contact the admin now and what they are supposed to do. What I would expect is that Nextcloud tells me that two-factor auth is required for this account and ask me to scan a Qr code, insert my Nitrokey, whatever. Basically offering a way to complete the setup by myself. I don't think it scales for large installation if everyone has to contact the admin now to do something manually. -> #12268
@schiessle schiessle added enhancement design Design, UI, UX, etc. labels Nov 4, 2018
@schiessle schiessle added this to the Nextcloud 15 milestone Nov 4, 2018
@schiessle
Copy link
Member Author

cc @ChristophWurst

@nextcloud-bot
Copy link
Member

GitMate.io thinks possibly related issues are #6673 (Issue because enforcing security header), #11317 (Two Factor Auth Preventing User First Login (Default Install)), #11455 (Add ability to enforce two-factor authentication), #10634 (Two factor authetication is enforced even if no provider is active), and #1415 (Two-factor auth: Exclude internal networks).

@MariusBluem
Copy link
Member

Thanks @schiessle 😸

Also it was not obvious to me what this settings mean. If I don't do anything, will it be enforced for everyone? What happens if I explicitly enforce it for groupA and not for groupB and a user is in both groups?

Should be (and at least it behaves like this in my testing) that the user has enforced twofactor if he is in one of this groups ... and I think that makes most sense :)

Another thing which confuses me is that I can enforce two factor auth even if no single two factor out method is enabled. I think it would make sense to check that at least one is enabled (u2f, totp,...) and otherwise disable the checkbox.

We could solve this by showing an overview about the users 2FA status in the user-settings (see GitHub organization-settings) ... GitHub is a positive example of 2FA mandatory settings & behavior.

Also I don't understand why I should contact the admin now and what they are supposed to do.

He should do sudo -u www-data php occ twofactor:disable <username> 😅

What I would expect is that Nextcloud tells me that two-factor auth is required for this account and ask me to scan a Qr code, insert my Nitrokey, whatever.

⬆ Like GitHub does ... if we want to have it more easy (for now) I could think of blocking those restriction for groups in which not everybody has 2FA enabled already.

@MariusBluem MariusBluem mentioned this issue Nov 4, 2018
Merged
@ChristophWurst ChristophWurst self-assigned this Nov 5, 2018
@ChristophWurst
Copy link
Member

ChristophWurst commented Nov 5, 2018
edited
Loading

Also it was not obvious to me what this settings mean. If I don't do anything, will it be enforced for everyone? What happens if I explicitly enforce it for groupA and not for groupB and a user is in both groups?

Another thing which confuses me is that I can enforce two factor auth even if no single two factor out method is enabled. I think it would make sense to check that at least one is enabled (u2f, totp,...) and otherwise disable the checkbox.

As I'm the admin I'm now logged out.
Also I don't understand why I should contact the admin now and what they are supposed to do.

What I would expect is that Nextcloud tells me that two-factor auth is required for this account and ask me to scan a Qr code, insert my Nitrokey, whatever. Basically offering a way to complete the setup by myself. I don't think it scales for large installation if everyone has to contact the admin now to do something manually.

We could solve this by showing an overview about the users 2FA status in the user-settings (see GitHub organization-settings) ... GitHub is a positive example of 2FA mandatory settings & behavior.

He should do sudo -u www-data php occ twofactor:disable <username> sweat_smile

⬆ Like GitHub does ... if we want to have it more easy (for now) I could think of blocking those restriction for groups in which not everybody has 2FA enabled already.

  • Nope
    bildschirmfoto von 2018-11-05 08-17-08

This was referenced Nov 5, 2018
Open
Closed
@ChristophWurst
Copy link
Member

As I'm the admin I'm now logged out.

Btw, the admin interface even warned you: If they do not have a two-factor provider configured, they will be unable to log into the system. 🙈

This was referenced Nov 5, 2018
Open
Closed
@MorrisJobke
Copy link
Member

@ChristophWurst @schiessle What is left here? Are all remaining issues opened as separate tickets? So we can close this one here.

@ChristophWurst
Copy link
Member

I think so, yes.

ChristophWurst added a commit that referenced this issue Nov 22, 2018
@ChristophWurst
Add explanatory text to admin twofactor settings
c95ef85 
Ref #12249
Ref nextcloud/documentation#937

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
@ChristophWurst ChristophWurst mentioned this issue Nov 22, 2018
Merged
@te-online
Copy link
Contributor

te-online commented Mar 15, 2019
edited
Loading

Just wanted to say, great improvements on this feature! 🎉 I trapped myself into forcing 2fa, while it was not configured for my admin account, so @schiessle was not the only one... 😬 Edit: Or least, that work has started on the improvements, is what I wanted to say 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ChristophWurst ChristophWurst

Labels
design Design, UI, UX, etc. enhancement
Projects
None yet
Milestone
Nextcloud 15
Development

No branches or pull requests
6 participants
@MorrisJobke @ChristophWurst @schiessle @te-online @MariusBluem @nextcloud-bot