jacksgt
commented
1 year ago In my opinion, the identity provider (Keycloak, Authentik, ...) should decide / enforce whether the user logs in with 2FA or not.
Open erebion opened 1 year ago
jacksgt
commented
1 year ago In my opinion, the identity provider (Keycloak, Authentik, ...) should decide / enforce whether the user logs in with 2FA or not.
erebion
commented
1 year ago @jacksgt I agree thaqt it should be done on that end. However, users have not yet set up 2FA at the beginning of a migration to SSO and they can access the account via local login with 2FA and now also via SSO without.
isdnfan
commented
1 year ago Nextcloud has no way to know how the user authenticated against IdP, it trusts the login process was "secure enough". Every modern IdP supports 2FA and if you require second factor this should be enforced on the backend..
erebion
commented
4 weeks ago 2FA should be available without relying on the SSO system.
Currently users are not asked for their TOTP when logging in, even if the Nextcloud setting is set to "force two factor authentication".
There should be a setting that allows forcing TOTP even via SSO.