twofactor_totp icon indicating copy to clipboard operation
twofactor_totp copied to clipboard

Published 20 hours ago • verified publisher icon nextcloud

Setup new TOTP without disabling

Open rullzer opened this issue 5 years ago • 8 comments

I just had to move all my TOTP codes to my new phone. However in order to do this I have to disable and re-enable the TOTP setting.

While valid it does feel a little... counter intuitive.

I'd prefer a button 'setup new TOTP' or whatever that guides us trough the wizard again (also warning previous codes are invalid). Would feel a bit more user friendly IMO.

rullzer avatar Sep 09 '19 08:09 rullzer

I would appreciate such an option as well. unfortunately same request was rejected some time ago #158 At least for limited number of devices, say max 5.

isdnfan avatar Jan 23 '21 17:01 isdnfan

@isdnfan re-read @rullzer's suggestions. This isn't about allowing more than one simultaneous code, it's about a simpler UX flow. With this approach the old registrations will still be invalidated.

ChristophWurst avatar Jan 25 '21 07:01 ChristophWurst

@ChristophWurst I agree the request isn't exact the same. From the wording 'setup new TOTP' I understood what I looked for..

In general only one TOTP code is not ideal - the user can't pair multiple devices - like phone and tablet - for TOTP (or has to pair them at same time). Other platforms like Google and Microsoft allow multiple TOTP devices - Nextcloud with Webauthn as well - why it is impossible to have multiple TOTP identified by friendly device name which could be invalidated one by one once the user stops using specific device?

isdnfan avatar Jan 31 '21 21:01 isdnfan

Other platforms like Google and Microsoft allow multiple TOTP devices

Proof? At least for Google I find official and unofficial sources that say you need to reset TOTP and scan the QR code with all your devices at once. Like exactly how you can set up more than one device here.

ChristophWurst avatar Feb 02 '21 08:02 ChristophWurst

here a screenshot from MS O365 security page: 3 different authenticator apps are registered: image

isdnfan avatar Feb 02 '21 10:02 isdnfan

I use hardware and an authenticator app as backup in case I left my usb key at home. I would love to have the same way on nextcloud too.

ToeiRei avatar Feb 21 '21 16:02 ToeiRei

I know this is just a workaraound. But the initial QR code is just a letter/number string, which by the way is also displayed in plain text during the initial setup. This key can be copied and stored in a secure place (e.g. KeePass) and then used with as many TOTP apps and HW keys as you want. Also, many TOTP apps like for example andOTP on Android do have a backup function. This makes it very easy to transfer the codes to a new device without having to change anything in the corresponding accounts.

obrb avatar Oct 27 '21 07:10 obrb

@obrb that's how I currently work around that issue as well. Still not something I would trust an end-user with.

ToeiRei avatar Oct 27 '21 09:10 ToeiRei