[X] This is a feature request for one feature, not a question, discussion or multiple features.
[X] This is not a feature request for the browser extension or another client.
[x] This feature is not already requested on Github (I've searched it).
[X] This feature does not already exist (I checked the wiki).
Current Status
At present, the Nextcloud Passwords app allows users to create independent end-to-end application passwords. However, users are not compelled to set up these passwords, leaving potential vulnerabilities in the system.
Feature Description
For Administrators:
1.1 Access Nextcloud via the web.
1.2 Open "Settings" and navigate to "Administration" → "Security".
1.3 There is a section for "Passwords" settings.
1.4 Under the "Passwords" settings, there is a checkbox for "Force enable end-to-end passwords".
1.5 Under the "Passwords" settings, there is also an option to restrict to specific groups or exclude certain groups.
For Users:
When administrators check the "Force enable end-to-end passwords" checkbox, users accessing the "Passwords" app will encounter the following scenarios:
2.1 If a user has already set up an end-to-end password, they will log in normally without any changes.
2.2 If a user has not set up an end-to-end password, they will be prompted with a mandatory setup wizard.
Additional Context
Consider a scenario where a security-conscious user, U1, sets up an application password for the Passwords app. However, when U1 needs to share a password with another user, U2, who hasn't configured an application password, security concerns arise. Without U2 having an application password, the risk of unauthorized access increases, especially if U2's device is lost or stolen.
By making the configuration of independent application passwords mandatory, we can significantly enhance the security posture of Nextcloud installations and ensure the protection of sensitive information.
Looking forward to seeing this enhancement incorporated into future versions of the Nextcloud Passwords app.
⚠️ This issue respects the following points: ⚠️
Current Status
At present, the Nextcloud Passwords app allows users to create independent end-to-end application passwords. However, users are not compelled to set up these passwords, leaving potential vulnerabilities in the system.
Feature Description
For Administrators: 1.1 Access Nextcloud via the web. 1.2 Open "Settings" and navigate to "Administration" → "Security". 1.3 There is a section for "Passwords" settings. 1.4 Under the "Passwords" settings, there is a checkbox for "Force enable end-to-end passwords". 1.5 Under the "Passwords" settings, there is also an option to restrict to specific groups or exclude certain groups.
For Users: When administrators check the "Force enable end-to-end passwords" checkbox, users accessing the "Passwords" app will encounter the following scenarios: 2.1 If a user has already set up an end-to-end password, they will log in normally without any changes. 2.2 If a user has not set up an end-to-end password, they will be prompted with a mandatory setup wizard.
Additional Context
Consider a scenario where a security-conscious user, U1, sets up an application password for the Passwords app. However, when U1 needs to share a password with another user, U2, who hasn't configured an application password, security concerns arise. Without U2 having an application password, the risk of unauthorized access increases, especially if U2's device is lost or stolen.
By making the configuration of independent application passwords mandatory, we can significantly enhance the security posture of Nextcloud installations and ensure the protection of sensitive information.
Looking forward to seeing this enhancement incorporated into future versions of the Nextcloud Passwords app.