isdnfan
commented
3 years ago I would appreciate such an option as well. unfortunately same request was rejected some time ago #158 At least for limited number of devices, say max 5.
Open rullzer opened 5 years ago
isdnfan
commented
3 years ago I would appreciate such an option as well. unfortunately same request was rejected some time ago #158 At least for limited number of devices, say max 5.
ChristophWurst
commented
3 years ago @isdnfan re-read @rullzer's suggestions. This isn't about allowing more than one simultaneous code, it's about a simpler UX flow. With this approach the old registrations will still be invalidated.
isdnfan
commented
3 years ago @ChristophWurst I agree the request isn't exact the same. From the wording 'setup new TOTP' I understood what I looked for..
In general only one TOTP code is not ideal - the user can't pair multiple devices - like phone and tablet - for TOTP (or has to pair them at same time). Other platforms like Google and Microsoft allow multiple TOTP devices - Nextcloud with Webauthn as well - why it is impossible to have multiple TOTP identified by friendly device name which could be invalidated one by one once the user stops using specific device?
ChristophWurst
commented
3 years ago Other platforms like Google and Microsoft allow multiple TOTP devices
Proof? At least for Google I find official and unofficial sources that say you need to reset TOTP and scan the QR code with all your devices at once. Like exactly how you can set up more than one device here.
isdnfan
commented
3 years ago here a screenshot from MS O365 security page: 3 different authenticator apps are registered:
ToeiRei
commented
3 years ago I use hardware and an authenticator app as backup in case I left my usb key at home. I would love to have the same way on nextcloud too.
obrb
commented
2 years ago I know this is just a workaraound. But the initial QR code is just a letter/number string, which by the way is also displayed in plain text during the initial setup. This key can be copied and stored in a secure place (e.g. KeePass) and then used with as many TOTP apps and HW keys as you want. Also, many TOTP apps like for example andOTP on Android do have a backup function. This makes it very easy to transfer the codes to a new device without having to change anything in the corresponding accounts.
ToeiRei
commented
2 years ago @obrb that's how I currently work around that issue as well. Still not something I would trust an end-user with.
I just had to move all my TOTP codes to my new phone. However in order to do this I have to disable and re-enable the TOTP setting.
While valid it does feel a little... counter intuitive.
I'd prefer a button 'setup new TOTP' or whatever that guides us trough the wizard again (also warning previous codes are invalid). Would feel a bit more user friendly IMO.