twofactor_gateway icon indicating copy to clipboard operation
twofactor_gateway copied to clipboard

Published 20 hours ago • verified publisher icon nextcloud

Recovery keys

Open morph027 opened this issue 5 years ago • 4 comments

This just crosses my mind:

  • user has setup a signal gateway (not sure how the implementations are handling new keys)
  • user is using 2F
  • user gets a new phone, installs Signal, get's new keys
  • want's to login into Nextcloud
  • gateway refused to send due to security constraints (keys are not matching)

When enabling 2F like this, we should probably spit out some recovery keys like with TOTP (if I remember).

morph027 avatar Aug 27 '18 08:08 morph027

gateway refused to send due to security constraints (keys are not matching)

Haven't found about that scenario but yes, this needs some error handling. Do you happen to know if the gateway will communicate this error via its REST API?

ChristophWurst avatar Aug 27 '18 08:08 ChristophWurst

gateway refused to send due to security constraints (keys are not matching)

Generally, people should generate backup codes for these situations. However, we currently can't enforce that (yet).

ChristophWurst avatar Aug 27 '18 08:08 ChristophWurst

Not sure if it's possible with the Signal app...anyway, we can add a notice on how to act in this case (manually deleting the file on the gateway).

I can catch the error and answer accordingly.

morph027 avatar Aug 27 '18 09:08 morph027

New version should return

{'success': False, 'error': 'remote identity is not trusted'}

in case it happens.

morph027 avatar Aug 27 '18 18:08 morph027