Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup new TOTP without disabling #678

Open
rullzer opened this issue Sep 9, 2019 · 8 comments
Open

Setup new TOTP without disabling #678

rullzer opened this issue Sep 9, 2019 · 8 comments

Comments

@rullzer
Copy link
Member

rullzer commented Sep 9, 2019

I just had to move all my TOTP codes to my new phone.
However in order to do this I have to disable and re-enable the TOTP setting.

While valid it does feel a little... counter intuitive.

I'd prefer a button 'setup new TOTP' or whatever that guides us trough the wizard again (also warning previous codes are invalid). Would feel a bit more user friendly IMO.

@isdnfan
Copy link

isdnfan commented Jan 23, 2021

I would appreciate such an option as well. unfortunately same request was rejected some time ago #158
At least for limited number of devices, say max 5.

@ChristophWurst
Copy link
Member

@isdnfan re-read @rullzer's suggestions. This isn't about allowing more than one simultaneous code, it's about a simpler UX flow. With this approach the old registrations will still be invalidated.

@isdnfan
Copy link

isdnfan commented Jan 31, 2021

@ChristophWurst I agree the request isn't exact the same. From the wording 'setup new TOTP' I understood what I looked for..

In general only one TOTP code is not ideal - the user can't pair multiple devices - like phone and tablet - for TOTP (or has to pair them at same time). Other platforms like Google and Microsoft allow multiple TOTP devices - Nextcloud with Webauthn as well - why it is impossible to have multiple TOTP identified by friendly device name which could be invalidated one by one once the user stops using specific device?

@ChristophWurst
Copy link
Member

Other platforms like Google and Microsoft allow multiple TOTP devices

Proof? At least for Google I find official and unofficial sources that say you need to reset TOTP and scan the QR code with all your devices at once. Like exactly how you can set up more than one device here.

@isdnfan
Copy link

isdnfan commented Feb 2, 2021

here a screenshot from MS O365 security page: 3 different authenticator apps are registered:
image

@ToeiRei
Copy link

ToeiRei commented Feb 21, 2021

I use hardware and an authenticator app as backup in case I left my usb key at home. I would love to have the same way on nextcloud too.

@obrb
Copy link

obrb commented Oct 27, 2021

I know this is just a workaraound. But the initial QR code is just a letter/number string, which by the way is also displayed in plain text during the initial setup. This key can be copied and stored in a secure place (e.g. KeePass) and then used with as many TOTP apps and HW keys as you want. Also, many TOTP apps like for example andOTP on Android do have a backup function. This makes it very easy to transfer the codes to a new device without having to change anything in the corresponding accounts.

@ToeiRei
Copy link

ToeiRei commented Oct 27, 2021

@obrb that's how I currently work around that issue as well. Still not something I would trust an end-user with.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants