Changing 2FA from Fido/U2F to TOTP

[bastischubert]

Prior to placing the issue, please check following: (fill out each checkbox with an X once done)

• [x ] I understand that not following or deleting the below instructions will result in immediate closure and/or deletion of my issue.
• [x ] I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [x ] I have understood that answers are voluntary and community-driven, and not commercial support.
• [x ] I have verified that my issue has not been already answered in the past. I also checked previous issues.

Summary

With enabled FIDO/U2F two factor authentication its quite difficult to switch to TOTP, while the other way around works "as expected".

Logs

Reproduction

After enabling the TOTP, the FIDO/U2F is stil shown active and has to be "deleted" via the remove function. After that the TOTP Method is active. The other way from TOTP to FIDO there's no second 2FA in the background, becaus trying to delete a TOTP results in "last key cannot be deleted... disable 2fa .."

System information

Question	Answer
My operating system	Ubuntu 20
Is Apparmor, SELinux or similar active?	No
Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported	KVM
Server/VM specifications (Memory, CPU Cores)	16GB / 6 Cores
Docker Version (docker version)	20.10.10
Docker-Compose Version (docker-compose version)	1.29.2
Reverse proxy (custom solution)	Hell no.. nothing :-))))

• Output of git diff origin/master, any other changes to the code? If so, please post them.

  
  --- a/docker-compose.yml
  +++ b/docker-compose.yml
  @@ -575,36 +575,6 @@ services:
         aliases:
           - ofelia

• ipv6nat-mailcow:

• depends_on:

• • unbound-mailcow
• • mysql-mailcow
• • redis-mailcow
• • clamd-mailcow
• • rspamd-mailcow
• • php-fpm-mailcow
• • sogo-mailcow
• • dovecot-mailcow
• • postfix-mailcow
• • memcached-mailcow
• • nginx-mailcow
• • acme-mailcow
• • netfilter-mailcow
• • watchdog-mailcow
• • dockerapi-mailcow
• • solr-mailcow

• environment:

• • TZ=${TZ}

• image: robbertkl/ipv6nat

• security_opt:

• • label=disable

• restart: always

• privileged: true

• network_mode: "host"

• volumes:

• • /var/run/docker.sock:/var/run/docker.sock:ro
• • /lib/modules:/lib/modules:ro

• networks: mailcow-network: driver: bridge

• All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn, ip6tables -L -vn, iptables -L -vn -t nat and ip6tables -L -vn -t nat.

No Firewall in place

• DNS problems? Please run docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 (set the IP accordingly, if you changed the internal mailcow network) and post the output.

➜  mailcow-dockerized git:(master) ✗ docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254
151.101.193.69
151.101.65.69
151.101.1.69
151.101.129.69

[El-Virus]

Hey @bastischubert, could you update mailcow and check that the issue persists on your installation? I don't seem to be able to recreate it on mine.

[bastischubert]

I'll check next week after returning from vacation

[El-Virus]

Great, have a nice holiday!

[bastischubert]

Hi El-Virus the problem still exists, i've done a screencast showing that after changing the method to TOTP, still FIDO/U2F is shown -> Video available here https://cloud.2-die-4.tk/index.php/s/xJYwQ4AmejcjbRr

[El-Virus]

Huh, could you try, after changing it (create a domain administrator for this test so you don't get locked out), to subsequentially log off and log back in again? TOTP is supposed to activate on the next logon. Is it possible, that it could be a visual bug?

[bastischubert]

Hi,

it's not just a visual bug, the TOTP does not get activated and the U2F is still the active MFA method. (sorry for the delay in answering)

[milkmaker]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.