twofactor_email icon indicating copy to clipboard operation
twofactor_email copied to clipboard

Published 20 hours ago verified publisher icon nursoda

different email address for 2FA

Open JanH77 opened this issue 3 years ago • 8 comments

Using the 2-factor email provider, I can see following security problem: If the email account is compromised, an attacker would be able to request a password reset for the nextcloud account and with the same email address he can request the 2FA token. This would give the attacker easy access to the cloud system.

Can you add a feature that a different email address (than the standard address connected to the account), can be used for 2-factor email provider?

JanH77 avatar May 21 '21 09:05 JanH77

I agree @JanH77 . The personal email could be used to receive the token instead of the company email. I hope it is easy to implement and @rullzer it helps us. Thanks in advance

informaticavera avatar May 31 '21 05:05 informaticavera

The now integrated possibility to set multiple notification addresses is independent of this issue, right?

Since there now may be several notification email addresses, the question is what the best solution is. I see two options:

  1. Enhance the user setting so that not only a "primary email for password reset and notification" but also a "separate email as second factor (Two-Factor Email)" may be set in /settings/user. This would be more logical from a user perspective.
  2. Have a completely independent email address setting in /settings/user/security. This seems awkward since multiple addresses are kept in /settings/user already. But on the other hand it's very "close" to the 2FA settings and much easier to implement as it is fully implementable within twofactor_email.

Thoughts? @blizzz @juliushaertl

nursoda avatar Sep 30 '21 20:09 nursoda

I like both options. I think the first option much easier on the end users side since now we can add multiple emails under a user account. But the question i have is would that mean you'll get two emails at the same time? when logging in and requesting for a 2FA email verification; one would go to Primary email and one to secondary email?

Im trying to picture the process from step one too successfully logging in.

AndyXheli avatar Oct 01 '21 01:10 AndyXheli

I agree with @nursoda , from user perspective option one will be the better more logical choice.

However, I could think about following solution (if this is possible):

  • add additional email address setting to the user profile (/settings/user)
  • in Two-Factor Email setting (/settings/user/security), let the user select (e.g. by dropdown) which of the configured email addresses (in /settings/user ) should be used for Two-Factor Email

JanH77 avatar Oct 01 '21 08:10 JanH77

Complexity arises from edge cases: What shall happen if the user sets everything as aforementioned and then e.g. deletes the previously (in twofactor_email) "selected" address?

nursoda avatar Oct 01 '21 08:10 nursoda

I only had one email under my account my work email and I also added my personal email as soon as I changed my primary email from work to personal the 2FA Email changed automatically. Now that I'm on my personal as primary, I deleted the personal but the email still remained under 2FA email but then as I made my work email again primary it changed under 2FA Email.

AndyXheli avatar Oct 01 '21 14:10 AndyXheli

Highly integrated solution depends on server code (not being implemented)

let the user select by dropdown which of the email addresses configured in /settings/user to be used

Yes, I also like that and consider it a good solution in terms of UI and UX. But it would require to catch a lot of corner cases in code that I have no influence in (and at least now don't want to write PRs for). If we'd go for that, at some considerations would have to be made. That is why I tend not to implement that. Here are my thoughts:

If one would implement this, one would need to decide

  • which address to select as default: a) the primary address (which is also used for password reset) b) not the primary address (could be a better choice if compromised email account is an attack scenario)
  • How to deal with a "missing" (deleted/changed) address when
    • /settings/user/security is opened
    • Two-Factor Email is used for a challenge

And one would need to find out / know

  • how many (0…n) email address are usable
    • possibly flag them similar to the flag "primary", and display that flag in /settings/user
  • whether (and when) it is detectable if the user (or an admin) deleted the address in use for Two-Factor Email
    • and no other usable address is available (inform admin?)
    • and there is another address available (user expectation?)
  • what shall happen if the address is changed (is that detectable after all)? (Inform the user that the address used for Two-Factor Email has changed?)

Proposal: Implement within the app only (and separately store an email address)

Given all that, and until (UI/UX) veto from Nextcloud staff side, I tend to implement the much simpler way: Keep all config necessary within code and config/DB of the Two-Factor Email app. That way no modification by the server team is needed. My idea is to implement this (any help appreciated):

  • get the list of email addresses from /settings/user
  • in Two-Factor Email setup allow the user
    • to copy one of these addresses (if available)
    • to set an arbitrary address in the input field
  • save that address in the apps namespace in the NC database and use it until the user changes it
  • add some explanatory text that it may be safer not to use the primary address and decide on how much information shall be given to users about attack scenarios and where to put such information:
    • hidden "Drop-down" text block? (like <details> in GitHub?
    • link to "https://github.com/nursoda/twofactor_email/wiki/User-manual" (or elsewhere)?
  • implement ability for OCC to allow admins/users to enable Two-Factor Email and set the address to be used

Common issues

In both cases we need to know / decide

  • how to retrieve the list of addresses set in /settings/user
    • is it necessary distinguish whether only one address is configurable or multiple (NC<22?)
  • whether the email address being chosen/entered needs to be verified upon setup (see #83)

nursoda avatar Oct 03 '21 17:10 nursoda

In my use case, we wanted to force users to keep the same original email address that they were assigned at account creation in case they were terminated from their employer and therefore had no need to access our data. I wrote a little php script that sets users email addresses back to the original if users try to change them. It does require that admins use the full email address as the username. My script also forces all users enabled with 2FA-email. https://github.com/nextcloud/server/issues/34938

jfieser avatar Jun 26 '23 19:06 jfieser