So people can contribute. :)

Steps to reproduce

1. Try to sign in, but with a key that has not been registered

Expected behaviour

See a nice error message that signing the challenge failed.

Actual behaviour

Nothing.

As of Firefox 57, U2F support is built-in.
Some users may need to use about:config and enable security.webauth.u2f

@MorrisJobke will take care of this

According to Yubico it is recommended to have multiple U2Fs for every Service. Sadly NC can only register one.

Users are recommended to register at least two U2F devices with every service provider, which may optionally also provide the user with a backup code should a U2F device be misplaced.

 php ../../occ app:check-code twofactor_u2f
Database schema error: Name of table *dbprefix*twofactor_u2f_registrations is too long (27), max. 27 characters (21 characters for tables with autoincrement) + *dbprefix* allowed
App is not compliant

cc @rullzer

Hi
First, this is a really cool app. But I would really like to have the option, to disable U2F for dav connectons. I am syncing calendar and contacts via dav, but of course the clients which i use, do not support U2F. So the option to disable it for this traffic would be fantastic.
Regards Tobias

Expected behavior

If you erroneously try to register an already registered U2F key again, the displayed error message should tell you exactly that.

Current behavior

If you try to register an U2F key again the following error message is displayed which is not pointing to the root cause of the problem:

Steps to reproduce

1. Open the personal settings and select 'U2F-Two factor authentication'.
2. Try to register an already registered U2F key again.

Environment

Server Configuration

OS: Linux 3.16.47
Web server: Apache2 2.4.26
Database: MariaDB 10.0.32
PHP version: 5.6.30
Nextcloud version: 12.0.3
Two Factor U2F app version: 1.3.3

Client Configuration

Browser: Mozilla Firefox 56.0
U2F Support Add-on version: 1.0.1
Operating system: Windows 7

Not sure if this should be an issue here.

On apps.nextcloud.com the version is still 1.5.1 which is incompatible with latest Nextcloud 13 release.

I am using the JavaScript XMPP Chat plugin and on the U2F verification page the chat windows are available, which is a security issue.

I am unsure whether this is an issue from your plugin or the JavaScript XMPP Chat. Please advise.

I just literally downloaded the addon-archive file from the addon website and it gives me a code signing error:

Results
=======
- twofactor_u2f
	- INVALID_HASH
		- vendor/yubico/u2flib-server/README.adoc

Raw output
==========
Array
(
    [twofactor_u2f] => Array
        (
            [INVALID_HASH] => Array
                (
                    [vendor/yubico/u2flib-server/README.adoc] => Array
                        (
                            [expected] => 2d2e6a59a43eb63310ad6f491abe7b93cec7c8b5c866728b404f89c0ec47fe67b0009fae7fa38dd8ff8c88d5605556bf7b107d7ea704d122d01e5142d006322a
                            [current] => a91d9337cadaf5018990069e81872d282fb96e829d2e042417bcd3bf713f10eda4c487a6d21748e2e39447ec351656cfa00d01280dbe4d17f895b6870cb137f1
                        )
                )
        )
)

that file just reads README both in the addon and in the u2flib server files from yubico themselves

Hello,

I activate u2f and totp, so I have to select one of them after login. Would be nice if it will be possible to get booth options without one more click, like it is in gitlab, github or most of other clients. Would be great. Everything else works great, thanks for your work.

Hi,

I've nextcloud running behind haproxy, which work in general, but not with U2F.
Maybe this is a "feature", that U2F detect the MITM, but in this case it is not an attack,
but a desired feature, that I can runn nextcloud behind haproxy.

I don't know the technical details on how U2F sends its challange/response over https (or uses it's separate connection?).
But actually there is a TLS connection from the browser to the haproxy with one haproxy-certificate.
So haproxy is the endpoints of this connection and creates a separate one to nextcloud via TLS.
This also means that haproxy sees the unecrpyted data, but both servers are under my control,
no problem here.

Any ideas why U2F does not work via haproxy? and how to fix this?

I tried to install and test the twofactor_u2f app on a test system running on a current master of Nextcloud. I don't manage to install it and I get the following error:

{"reqId":"Sg2lML52beCy\/8MdqsCY","remoteAddr":"myip","app":"PHP","message":"require_once(\/var\/www\/nextcloud\/apps\/twofactor_u2f\/lib\/Service\/..\/..\/vendor\/yubico\/u2flib-server\/src\/u2flib_server\/U2F.php): failed to open stream: No such file or directory at \/var\/www\/nextcloud\/apps\/twofactor_u2f\/lib\/Service\/U2FManager.php#15","level":3,"time":"2016-10-30T13:59:25+00:00","method":"GET","url":"\/nextcloud\/index.php\/apps\/files","user":"mail-address","version":"9.2.0.4"}
{"reqId":"Sg2lML52beCy\/8MdqsCY","remoteAddr":"myip","app":"PHP","message":"require_once(): Failed opening required '\/var\/www\/nextcloud\/apps\/twofactor_u2f\/lib\/Service\/..\/..\/vendor\/yubico\/u2flib-server\/src\/u2flib_server\/U2F.php' (include_path='\/var\/www\/nextcloud\/3rdparty\/pear\/console_getopt:\/var\/www\/nextcloud\/3rdparty\/pear\/pear_exception:\/var\/www\/nextcloud\/3rdparty\/pear\/pear-core-minimal\/src:\/var\/www\/nextcloud\/3rdparty\/pear\/archive_tar:\/var\/www\/nextcloud\/apps') at \/var\/www\/nextcloud\/apps\/twofactor_u2f\/lib\/Service\/U2FManager.php#15","level":3,"time":"2016-10-30T13:59:25+00:00","method":"GET","url":"\/nextcloud\/index.php\/apps\/files","user":"mail-address","version":"9.2.0.4"}

It looks like I forget to initialize something. If you need to do more than a git clone, this should perhaps be mentioned on the overview-page.

Hi,
I'm just wondering whether this plugin is actually working or just a dummy? How do I install and set it up? I'd really love to be able to use my Yubikey with nextcloud :-)

Cheers

Hi everyone,

I have just uploaded a beta for v1 of this app to https://github.com/nextcloud/twofactor_u2f/releases/tag/1.0.0-beta1.

Would be cool if some people could test it on their installations and let me know if something breaks. Especially the new nfc support should be tested because I do not own a nfc compatible token.

If all goes well I will release v1 to the app store soon!

Thanks :-)
🔑 🔒 ☁️ 🚀

cc @eddydevink @Framartin @icewind1991 @itay-grudev @LukasReschke @My1

it is kinda annoying when you select a 2FA provider and then realize you cant use it (no U2F stick at hand, wrong browser etc) that your only choices are backup code and cancel login.

in my opinion there should be a button that just brings you back to the list of challenges.

also why does the Backup code button come there? wouldnt it make more sense if that would be on the 2FA selection screen?

The problem now is that user who didn't read the documentation, can enable 2FA without generating his 2FA backup codes. The problem is that if he loose its 2nd factor, the admin sys have to deal between deactivate manually the 2FA for the user (and then 2FA becomes useless), or making the user sad.

A solution can be to not offer the possibility of activating 2FA if the backup codes aren't generated. Or just print a big warning message.

Steps to reproduce

1. Upgrade Nextcloud from 14 to 15 with previously working U2F authentication.
2. Attempt to log in.
3. Receive error message "Sign failed."

Expected behaviour

Tell us what should happen
U2F should work.

Actual behaviour

Tell us what happens instead
Error message "Sign failed" and unable to log in.

Server configuration

Operating system: Ubuntu 18.04

Web server: Apache

Database: MariaDB

PHP version: 7.2

Version: (see admin page) App version 2.1.0, Nextcloud version 15

Updated from an older version or fresh install: Updated and fresh install (removed app and reinstalled as troubleshooting after Nextcloud upgrade)

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your server installation folder

Enabled:

• accessibility: 1.1.0
• cloud_federation_api: 0.1.0
• comments: 1.5.0
• dav: 1.8.0
• federatedfilesharing: 1.5.0
• files: 1.10.0
• files_pdfviewer: 1.4.0
• files_sharing: 1.7.0
• files_texteditor: 2.7.0
• files_trashbin: 1.5.0
• files_versions: 1.8.0
• files_videoplayer: 1.4.0
• gallery: 18.2.0
• logreader: 2.0.0
• lookup_server_connector: 1.3.0
• nextcloud_announcements: 1.4.0
• notes: 2.5.1
• notifications: 2.3.0
• oauth2: 1.3.0
• password_policy: 1.5.0
• passwords: 2019.1.0
• phonetrack: 0.4.0
• provisioning_api: 1.5.0
• serverinfo: 1.5.0
• spreed: 5.0.0
• support: 1.0.0
• systemtags: 1.5.0
• twofactor_backupcodes: 1.4.1
• twofactor_totp: 2.1.0
• twofactor_u2f: 2.1.0
• updatenotification: 1.5.0
• workflowengine: 1.5.0
  Disabled:
• activity
• admin_audit
• encryption
• federation
• files_external
• firstrunwizard
• sharebymail
• survey_client
• theming
• user_external
• user_ldap

The content of config/config.php:

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{
"system": {
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"[REDACTED]"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"overwrite.cli.url": "[REDACTED]",
"dbtype": "mysql",
"version": "15.0.0.10",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"memcache.local": "\OC\Memcache\APCu",
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"maintenance": false,
"htaccess.RewriteBase": "/",
"theme": "",
"loglevel": 2,
"updater.release.channel": "stable",
"updater.secret": "REMOVED SENSITIVE VALUE"
}
}

Client configuration

Browser:
Pale Moon 28.2.1, using Firefox U2F Support Add-on 1.0.1

Operating system:
Linux Mint 17.1

Logs

Web server error log

Insert your webserver log here

(Nothing related to this issue in error log)

Server log (data/nextcloud.log)

Insert your server log here

(Nothing related to this issue in access log)

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log

could not sign u2f challenge Error: Sign failed
Stack trace:
u@https://[REDACTED]/apps/twofactor_u2f/js/challenge.js?v=160f7233:33:14231
e.sign/</</<@https://[REDACTED]/apps/twofactor_u2f/js/challenge.js?v=160f7233:33:15283

challenge.js:60:17630
Error: Sign failed

Log from U2F add-on:

EB1 sign https://[REDACTED] [{challenge:"[REDACTED]", appId:"[REDACTED]"}] null
EB2 /home/[REDACTED]/extensions/[email protected]/bin/linux_x86_64-gcc3/u2f
EB3 ({killed:false, exitCode:(void 0), signalCode:(void 0), stdin:{readable:false, writable:false, encoding:null}, stdout:{readable:false, writable:false, encoding:null}, stderr:{readable:false, writable:false, encoding:null}})
stdin s001b00010061 https://[REDACTED]{"challenge":"[REDACTED]","appId":"https://[REDACTED]"}
EBD e0046{"errorCode": 2, "errorMessage":"authenticate:error in JSON handling"}
exit 1 null

-----EDIT-----

I stepped through the Javascript involved with the authentication and found that neither the key_handle value nor the version value are being properly passed from the Nextcloud U2F app functions to the authenticator addon functions. The values of both of those remain undefined in the U2F addon functions and hence the authentication fails as no key_handle value is presented to the U2F device.

I was able to successfully log in using the following process:

1. Open the Javascript debugger in Pale Moon.
2. Load the Nextcloud login page.
3. Set a breakpoint on line 68 of content-worker.js from the Add-on SDK. The file path is resource://gre/modules/commonjs/sdk/content/content-worker.js (This exact line was found by single-stepping from another breakpoint set in the content-script.js from the U2F addon.)
4. Enter valid user credentials.
5. Single-step (F11) through the code until the variable k = "keyHandle".
6. Change the value of the variable v from undefined to the string value of key_handle found in the oc_twofactor_u2f_registrations table in the Nextcloud database.
7. Click the resume button (F8) to continue to run the rest of the code normally. This triggers the prompt to push the button on the U2F device and allows the login to continue as expected. I had to click the run option in the debugger a couple more times as the breakpoint was hit again during the login process.

I found that steps 5 through 7 must be completed in under 30 seconds to avoid triggering a timeout and causing the login process to fail.

I just installed 1.3.1 on NC11. I was previously using 1.2.0.
Now I can log in with TOTP, but not with U2F. I deleted my previous token and enrolled a new one.
I'm using a Yubikey Neo, Chrome 58.0.3029.96 (64-bit) on latest Mac OS 10.12.4.

It works under Firefox with the U2F extension, but not with Chrome, now. It seems to be stuck and doesn't send anything to the server. Moreover, I used my token to login to Github to open this issue. Although I don't usually reboot to swipe errors under the carpet, I tried to close and open a new Chrome instance. Obviously it didn't change anything :-)

BTW, thank you for your work, the two authentication apps for NC really rock.
doc

EDIT: I can confirm that reverting back to 1.2.0 makes my Chrome working again.

Since we want to migrate away from handlebars so we can make the CSP stricter eventually it would make sense to port this app to Vue.

At the same time this has the advantage that we no longer will depend on core js stuff.

This should also fix the failing tests,

Ref nickmerwin/node-coveralls#188

U2f zero is one of the only open hardware implementations available. I’m wondering if it is supported by this app. Thanks!

Hallo,
i get the Error 2 if i try to register my yubikey.

When I enable u2f my MacOS desktop client fails to login. Even setting up the client from scratch fails with user unauthorized.

Additionally, I have a script using the ocs API, which gets the following error after U2F is enabled:
< status >failure</ status >
< statuscode >997</ statuscode >
< message >Current user is not logged in</ message >

Is there any way to disable u2f on ocs API and for the desktop client? I get that it's less secure, but even if I could, I wouldn't want to use my u2f every time my script runs. And for desktop client u2f obviously has to be disabled until the client supports it.

Steps to reproduce

1. login to nextcloud
2. get u2f prompt, press button on token

Expected behaviour

Should authenticate

Actual behaviour

Nothing happens

My client is Chrome 67.
My token is a Yubikey NEO. It works with other applications.

Usually, when I get the "Please plug in your U2F device and press the device button to authorize" prompt, I push the button on my device, and there is no response on the web page. I know the device saw my button press because the light blinks. And again, the token works on other u2f applications.

If I refresh the nextcloud login page over and over, eventually I can get it respond. It's almost like it doesn't have focus or it's not looking for it.

Strangely, sometimes it just works perfectly the first time. I've tried to find a pattern but nothing obvious so far.

Version is 1.5.5.
Nextcloud is 13.0.4.

I downloaded the app from GitHub, updated and enabled it but when I go in personal settings and check

Use U2F device

It fails and the error: "U2F device registration failed (error code 2)" pops up

Using:
NextCloud 11.0.1 (stable)
Two Factor U2F 1.1.0

Feature Request

U2F for Safari works - Please test and Enable

Summary

I've tested it by

1. downloading and compiling Safari-FIDO-U2F then setting my user agent to Chrome (because the script is checking ;) ):
   

2. Registering my OnlyKey:
   

3. Then logging out and in:
   

4. Profit!
   🚢

Feature Request

Use case: Secure and convenient user login
User story: I, as a user of Nextcloud with U2F and TOTP 2FA setup, want to prefer logging in with U2F, because I want a convenient login.

What currently happens

I have to click to choose which mode I want to use. That is cumbersome and makes me sad… 😢

Summary (What should happen)

U2F can be automatically triggered if a key is available. Only if I decline that, I should be able to fallback to TOTP.
(I so no use case at all of using/prefering a less convenient method like TOTP over U2F if I have both. However… okay on mobile devices possible without USB port, if your key does not have NFC.)

GitHub e.g. does it like this and the login flow is really convenient.

This is a list of bugs currently in the U2F App which I found after a quick review.

• Database needs to store transports presented by a registration response
• Challenge page needs to show a single challenge value and a list of registered keys
• u2f app's challenge page needs to properly call u2f api with the correctly provided values
• Registration page needs to properly show registered keys and a single register request
• u2f app's register page needs to properly call u2f api with the correctly provided values

This the thing with multiple challenges is cause for breaking multiple devices. There might be some more bugs related to the items above.
cc @ChristophWurst @LukasReschke

I am Using several instances of Nextcloud (13.01)
FIDO A2F works fine on my Linux Desktop, even with Firefox (59.0.1)
But I can't use my tokens on my Android-Devices anymore. (Android 7; Chrome).
Also not with Bluethooth anymore,
NB

1. Some time ago ( a month or so) both methods (NFC and Bluetooth worked fine.

2. On the demo-pages from Yubiko and Google both methods work fine.

I am using Firefox 50.1.0 In Debian Jessie, along with Nextcloud 12.0.2 anf U2F 1.3.3 plug in. I was previously able to use firefox's u2f plug in (verision 1.0.1) with Nextcloud, but now it only says an error occured. I am able to use the u2f function for github and fastmail, so I am suspecting there was something that was broken along the updates.

Please let me know what logs to submit to help debugging.

Thank you!

Hello,
after activate the plugin with nextcloud 12.0 beta 2 I got this error:

App for id twofactor_u2f has a wrong app ID in info.xml:

Hi, i encounter a strange behavior of this plugin on my NextCloud 12.0.3 install.

1st test / distant access
Access trough web connexion 212.51..
1- install this plugin from the nextcloud app
2- add an U2F Key for my account, naming it.
3- log out, then log in..
Everything is working well

2nd test / local
I went back to my workoffice, then i access to nextcloud from an internal IP (same computer, same U2F Key). Access through 172.20.90.***
1- I got an error when i need to connect the key and push his button. I can't connect my Nextcloud
2- Try to connect with ethernet cable instead of wifi, same result.
3- tried to reboot the computer, same result
4- tried to change the USB port used by ma U2F key, same result

3rd test / Tethering
Then, i tried to connect my nextcloud through a Tethering access, as i didn't have my recovery password with me.
1- connect through my smartphone
2- as expected, the connection is okay.
Then, i desactivate my 2nd authentification key, and i can work from my workoffice.

4th test / reactivate U2F from my workoffice network
Connected to my workoffice network, i log in to NextCloud, the re-register my U2F Key.
1- Log out, then log in : everything is fine, i can log in with my IDKey, no Pb.
2- i tried to access through tethering to Nextcloud. then, i can't use my U2F key to access. i got the same error message as in the second test.

So, i can use this U2F authentification only on a local network, OR a distant one, but not the two ! this is really annoying !

Please, could you take a look at this case ?

The U2F plugin is working great except for one issue. It is not working when I log on within my local network. I get the screen to tap my U2F key and my U2F key starts blinking. I tap the device and it stops blinking. Then nothing happens. I will not get another page and I don't see my browser is loading another page.

Is this a bug or is this expected behaviour?

I use nextcloud 11.0.0 and U2F plugin version 0.1.0 with chromium 55.0.2883.75 (64-bit) and a Yubikey 4 as U2F device.

hi,

first of all, this is great work, thank you! i just installed the app and registered a yubikey neo, works like a charm and is very intuitive.

however, as soon as i activated the U2F device, my smartphone complained that it can no longer sync calendars and contacts (i'm using DAVdroid on an android phone, it says username/password don't match any more). i don't know if this is to be expected, as the overall description of the app's functionality is maybe a bit sparse ;-)

i was assuming that U2F was mainly protecting the login to the web frontend, but you could still use those services. it would be a bit impractical to authenticate your devices each time the calendars would like to sync, as this could be every five minutes or so. is there something i can do about this?

I have version 1.6.1 installed on my server but cannot enable it due to

This app cannot be installed because the following dependencies are not fulfilled:

• Server version 13 or lower is required.

Thanks for the library. However, I noticed that you are not picking up the authserver settings from the settings panel. I use my own verification server, so it wasn't working for me.

I solved the problem by modifying the verify function within twofactor_yubikey/lib/Service/Yubiotp.php

-$yubi = new \Auth_Yubico($clientID, $secretKey)
+$yubi = new \Auth_Yubico($clientID, $secretKey,$config->getUseHttps(), $config->getValidateHttps());
+$yubi->addURLpart($config->getAuthServerURL());

I would consider fixing it.

Thanks,
Manny

Hi,
I just updated to Nextcloud 13.0 and it seems the U2F app (version 1.5.1) now doesn't work anymore.
If I want to add a new token I received the message "U2F not supported" and the Google Authenticator doesn't show up anymore.

I use Chrome an Android in version 63.0.3281.137. Before the update from Nextcloud 12.04 it the app worked fine. Any idea what happend?

Hello team,

I really like the U2F plugin but I would love to have the possibility to enforce it for my users.

A similar think is currently in the works for TOTP over here: nextcloud/twofactor_totp#41

Maybe there is a possibility for synergy here?

Hello,

The u2f authorization is great. My problem is the Caldav, Carddav and the mobile app stop working. Will there be a solution?

kind regards

as simple as it sounds, a release with all the composer stuff already resolved similar to https://github.com/ChristophWurst/twofactor_totp/releases which allows users to just place it in the extension directory and finish it.

This also allows people who dont want to have extra things on their servers (or dont trust composer for whatever reason) to use this without further problems.

I had everything tested with 1.3.0 and it worked. Some week ago I upgraded Nextcloud to Nextcloud 11.0.3 (stable)

When I tested the multiple devices feature I found the Table oc_twofactor_backup_codes but it seemed to have no effect at all. After carefully renaming and much testing I deleted it because nothing seemed to miss it after a lot of testing.
Now I wanted to retest 1.3.0 (and then 1.3.1) with two plug-up U2F-Sticks because of this issue-thread #45. After installing two sticks in a row and a relogin I got a server error.

The Log sais:

Doctrine\DBAL\Exception\TableNotFoundException: An exception occurred while executing 'SELECT id, user_id, code, used FROM oc_twofactor_backup_codes WHERE user_id = ?' with params ["Archiv"]: SQLSTATE[42S02]: Base table or view not found: 1146 Table 'owncloud.oc_twofactor_backup_codes' doesn't exist

When I disable twofactor_u2f and enable twofactor_u2f this table is not inserted.
When I upgrade 1.3.0 to 1.3.1 it is not inserted as well.

I once removed this original table oc_twofactor_backup_codes and oc_twofactor_u2f_registrations and the datafolder to test the feature and its reliability.
When I reinstalled the App it did create oc_twofactor_u2f_registrations but not oc_twofactor_backup_codes. (I guess, quite sure)

When I search oc_twofactor_backup_codes within the whole nextclouds mysql database, there are 0 results.

At this time I dont really now why oc_twofactor_backup_codes is needed nor why it is not created, but I guess that might have something to do with my Nextcloud updating?

NOTE: This might be my own fault because of tempering with the app some weeks ago, but it might be some missing table definition as well. I cannot tell.

I can't find the setting to enable u2f in the personal settings (security section) on Nextcloud 13 beta 3.

Feature Request

Switch to the new new FIDO2/W3 APIs that are U2F backwards compatible ?

I want to register my YubiKey on NextCloud 13.0.0. My instance is behind a reverse proxy (nginx). The proxy terminates SSL with a valid Let's Encrypt certificate.

Ref nextcloud/server#8981

a common problem that I am seeing while logging in is that with chrome (and opera) you wont be going far if you are on HTTP (errorcode 2). The firefox addon allowed HTTP when I last tried but that's actually false behavior

NOTE
Web facets must use HTTPS [...]

so it would make most sense to kick the user to HTTPS if he isnt yet.

also you should update your shots. they show an HTTP connection which as I said wont work with the U2F standard by definition.

but while we are at it, what kind of weird browser are you using, those shots certainly dont look like any browser I've seen yet