Administrative changes should be confirmed by an 2FA token instead of a password by default

[j-ed]

Expected behavior

If the twofactor_u2f app has been installed and an external U2F key has been registered all password confirmation dialogs should be replaced by an U2F key confirmation.

Current behavior

If you're going to change a personal setting, a confirmation is usually be requested. Although the twofactor_u2f app has been installed and an external U2F key has been registered, the login password need to be entered manually instead of requesting a confirmation via the available U2F key.

Steps to reproduce

1. Open the personal settings.
2. Change e.g. the language setting.
3. The login password need to be entered to confirm the change.

Environment

Server Configuration

OS: Linux 3.16.47 Web server: Apache2 2.4.29 Database: MariaDB 10.0.32 PHP version: 5.6.29 Nextcloud version: 12.0.3

Client Configuration

Browser: Mozilla Firefox 57.0 Operating system: Windows 7

[MorrisJobke]

cc @nickvergessen @ChristophWurst

[ChristophWurst]

This would introduce a hard dependency on the U2F app which now is completely independent.

[j-ed]

@ChristophWurst The twofactor_u2f app already allows to replace or better complete the login process, so it should also be possible to replace the password request if the app has been installed and activated. Doesn't any kind of hook exist at the relevant place to allow the app to replace the existing confirmation dialog?

[ChristophWurst]

I'm not aware of any.

[j-ed]

The issue has still not been fixed in Nextcloud v13.0.6.

[MorrisJobke]

The issue has still not been fixed in Nextcloud v13.0.6.

This is also just an enhancement. Also this ticket is not closed so it is also not fixed in master, nor in 14 and not even in 13. First we need to find time to look into this, then find a technical solution, implement it and then in can be tested.

[j-ed]

@MorrisJobke I understand. Due to the fact that the issue has automatically been classified as stale I worried if this would be the last step before automatically closing the ticket.

[MorrisJobke]

Similar request (with TOTP) in #13025

cc @ChristophWurst @nickvergessen

[ChristophWurst]

Unfortunately the described feature is not really high on our priority list. But this doesn't mean that we don't like the idea or that we are against this feature per se. Quite the opposite! :slightly_smiling_face:

There are many way to get new features in Nextcloud:

1. The easiest and most straight forward way (especially here at Github): pull request. Nextcloud is completely Free Software, this means that everyone is welcome to join and to contribute. If you or anyone else want to work on this feature, this would be great! We appreciate every pull request, and we are definitely able to help in case of questions, reviews, etc.

2. Another option is creating a bounty at Bountysource, although just putting money on an issue doesn't guarantee that someone picks it up (in time). But in general it is a nice way to support the huge Nextcloud community. In case of a Nextcloud GmbH employee picks up the bounty we will give it back to the community by putting the money back on other bounties to make sure all bounties benefit the Nextcloud community.

3. We have a category for Freelancers in our form. Another option would be to post an offer there and try to find a freelancer who want to work on it.

4. The most direct way for a company or organization to get the issue addressed is to get a Enterprise Subscription. This includes everything to enable you to run Nextcloud in a productive environment with guaranteed SLA's and more. The Enterprise Subscription also includes optional professional services such as custom development. Feel free to reach out to us. We are happy to explore the possibilities how to make Nextcloud fit your needs.

[skjnldsv]

Status?