How to configure TOTP?

[Darkassassin07]

I'm not seeing a whole lot of documentation on this. So I figured I'd start a discussion before opening an issue.

I've specified an auth.totpSecret in my config, just a randomized 32char string, is there something specific I should be using?

I'm currently only using password auth and trying to enable this for my admin user. Headed into the user config page, enabled the 'two-factor auth' toggle, then clicked on 'reset and generate new two-factor code'. I'm presented with a QR code, however none of the qr reader apps I've tried will read it. I tried adding it directly to bitwarden via it's app, tried scanning with the default camera app to manually retrieve and add the code, tried 4 or 5 random QR reader apps from the app store; it's a broken/unreadable qr code.

V0.7.10-beta

[gtsteffaniak]

There's not much documentation on it because I really don't know anything about it either, so definitely a good idea to start a discussion.

For starters, I think it just needs to be a secure string, something like this should work.

Personally, I use this to generate a safe string that's secure enough.

openssl rand -hex 32

And the same is true for onlyoffice secret as well, I believe its just a random string as well. However, I tell people to use the onlyoffice container to generate a secret, since I am not sure.

I will wait a while for others to chime in before updating the docs -- I'm no expert on this, perhaps there's better ways to do this.

[Darkassassin07]

I assumed the totpSecret was required. I removed it and now I'm getting working qr codes, with the manual code displayed above. (it's not displayed above the non working codes)

The working ones are also significantly larger/denser than the broken ones.

So, something is up with configuring a secret then.

[Darkassassin07]

Before I go ahead and enable it on my admin user; how does one disable a users totp via the console/config/docker?

[gtsteffaniak]

I thought I had the ability for admins to set OTP, but that wasn't there. If you re-pull the latest 0.7.10 image an admin user should see the same OTP toggle in user settings. So an admin can disable existing user's OTP.

[Darkassassin07]

That only works if you can login as an admin.

If I manage to lock myself out of my only admin user due to breaking 2fa, how do I recover?

When the only access left is through console/files/the container itself and not being able to login to the web interface; how does one remove/reset 2fa?

[gtsteffaniak]

A CLI password reset also resets the OTP, if it came down to that.

[gtsteffaniak]

Testing this I just noticed, be very careful about setting this if users already have TOTP already set. They won't be able to login until another admin turns their TOTP back off and they generate a new one. (or until you unset the totpSecret back to blank)

Which makes me think changing the totpSecret should reset all existing totp configurations (or just turning it off if not enforced)