Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. 2FA for all LDAP apps

2FA for all LDAP apps

Scheduled Pinned Locked Moved Solved Feature Requests
2fa
47 Posts 12 Posters 10.2k Views 11 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • marcusquinnM marcusquinn

    @jdaviescoates Interesting, I deleted the Facebook app a long time ago. Makes me think I should do the same for other social spyware too. Will give it a try.

    jdaviescoatesJ Offline
    jdaviescoatesJ Offline
    jdaviescoates
    wrote on last edited by
    #28

    @marcusquinn see also Nitter and similar apps for accessing other platforms.

    I use Cloudron with Gandi & Hetzner

    marcusquinnM 1 Reply Last reply
    1
    • marcusquinnM marcusquinn

      @jdaviescoates Interesting, I deleted the Facebook app a long time ago. Makes me think I should do the same for other social spyware too. Will give it a try.

      jdaviescoatesJ Offline
      jdaviescoatesJ Offline
      jdaviescoates
      wrote on last edited by
      #29

      @marcusquinn said in 2FA for all LDAP apps:

      I deleted the Facebook app a long time ago

      I never even installed it as it asked for such a ridiculous number of permissions.

      I use Cloudron with Gandi & Hetzner

      1 Reply Last reply
      0
      • jdaviescoatesJ jdaviescoates

        @marcusquinn see also Nitter and similar apps for accessing other platforms.

        marcusquinnM Online
        marcusquinnM Online
        marcusquinn
        wrote on last edited by
        #30

        @jdaviescoates Nice. will try. Been looking at https://jarvee.com/ - maybe of interest in a similar API access approach but more for data-mining and marketing.

        Web Design https://www.evergreen.je
        Development https://brandlight.org
        Life https://marcusquinn.com

        1 Reply Last reply
        0
        • LonkleL Lonkle

          @marcusquinn Security has become my newest point of interest in the programming world - amazing how ridiculously insecure things were even 15 years ago.

          mehdiM Offline
          mehdiM Offline
          mehdi
          App Dev
          wrote on last edited by
          #31

          @Lonk said in 2FA for all LDAP apps:

          amazing how ridiculously insecure things were even 15 years ago.

          I think people are going to think the same 15 years from now ^^

          1 Reply Last reply
          1
          • marcusquinnM marcusquinn

            What most people don't realise is that all the add-ons, extensions and social-logins would once have been considered trojans for the snooping capabilities they have.

            I mentioned "coffee machine" on a phone call to a friend, hadn't typed it in anywhere or searched anything. Next time I look at Twitter the first ad is for a Nespresso machine.

            So, it doesn't matter how good my security is, we all rely on the security of everyone we are connected to.

            mehdiM Offline
            mehdiM Offline
            mehdi
            App Dev
            wrote on last edited by
            #32

            @marcusquinn said in 2FA for all LDAP apps:

            I mentioned "coffee machine" on a phone call to a friend, hadn't typed it in anywhere or searched anything. Next time I look at Twitter the first ad is for a Nespresso machine.

            I think it's just a coincidence ^^ There is no reason to think ad companies are literally listening to you 24/7 : it's too costly from a computing power standpoint, so not worth it.

            What they're doing is "just" knowing everything else about you : who you're talking to, what your looking at online, what are your interests, your age, where you live ... And based on that, they can just guess that you may be interested in coffee machines.

            (Which, if you ask me, is even scarier that being listened to ^^)

            marcusquinnM 1 Reply Last reply
            1
            • mehdiM mehdi

              @marcusquinn said in 2FA for all LDAP apps:

              I mentioned "coffee machine" on a phone call to a friend, hadn't typed it in anywhere or searched anything. Next time I look at Twitter the first ad is for a Nespresso machine.

              I think it's just a coincidence ^^ There is no reason to think ad companies are literally listening to you 24/7 : it's too costly from a computing power standpoint, so not worth it.

              What they're doing is "just" knowing everything else about you : who you're talking to, what your looking at online, what are your interests, your age, where you live ... And based on that, they can just guess that you may be interested in coffee machines.

              (Which, if you ask me, is even scarier that being listened to ^^)

              marcusquinnM Online
              marcusquinnM Online
              marcusquinn
              wrote on last edited by
              #33

              @mehdi I think more likely the person I was talking to had been searching for coffee machine related recently.

              I hear a lot of the claims that you'd be able to see the bandwidth if audio was going to central servers but with the computing power in phones I'm pretty sure they can do the local transcription and just send the data encoded for minimal footprint.

              It mostly appears to be contact cross-referencing interests but given that any big ad network could acquire data by proxy from a chain of apps to keep their distance from the actual spyware themselves, I'm just increasingly aware of coincidences.

              Web Design https://www.evergreen.je
              Development https://brandlight.org
              Life https://marcusquinn.com

              fbartelsF 1 Reply Last reply
              0
              • marcusquinnM marcusquinn

                @mehdi I think more likely the person I was talking to had been searching for coffee machine related recently.

                I hear a lot of the claims that you'd be able to see the bandwidth if audio was going to central servers but with the computing power in phones I'm pretty sure they can do the local transcription and just send the data encoded for minimal footprint.

                It mostly appears to be contact cross-referencing interests but given that any big ad network could acquire data by proxy from a chain of apps to keep their distance from the actual spyware themselves, I'm just increasingly aware of coincidences.

                fbartelsF Offline
                fbartelsF Offline
                fbartels
                App Dev
                wrote on last edited by
                #34

                @marcusquinn said in 2FA for all LDAP apps:

                I hear a lot of the claims that you'd be able to see the bandwidth if audio was going to central servers

                You need a ridiculously low amount of bandwidth to transmit proper audio: https://www.wowza.com/blog/opus-codec-the-audio-format-explained

                But the discussion has already went off topic enough.

                Let's just hope applications will be faster I'm adopting webauthn, than they are at implementing oidc.

                1 Reply Last reply
                3
                • marcusquinnM marcusquinn

                  @jdaviescoates Interesting, I deleted the Facebook app a long time ago. Makes me think I should do the same for other social spyware too. Will give it a try.

                  jdaviescoatesJ Offline
                  jdaviescoatesJ Offline
                  jdaviescoates
                  wrote on last edited by
                  #35

                  @marcusquinn said in 2FA for all LDAP apps:

                  @jdaviescoates Interesting, I deleted the Facebook app a long time ago. Makes me think I should do the same for other social spyware too. Will give it a try.

                  One thing I've started doing is using the browser "install app/ add to homepage" whatever they call it feature for various things like Twitter/ Mastodon/ this and other Forums I use so they kinda sorta work like apps but really I'm just using the browser (but I stay logged in and don't have to install the actual app)

                  I use Cloudron with Gandi & Hetzner

                  marcusquinnM 1 Reply Last reply
                  0
                  • jdaviescoatesJ jdaviescoates

                    @marcusquinn said in 2FA for all LDAP apps:

                    @jdaviescoates Interesting, I deleted the Facebook app a long time ago. Makes me think I should do the same for other social spyware too. Will give it a try.

                    One thing I've started doing is using the browser "install app/ add to homepage" whatever they call it feature for various things like Twitter/ Mastodon/ this and other Forums I use so they kinda sorta work like apps but really I'm just using the browser (but I stay logged in and don't have to install the actual app)

                    marcusquinnM Online
                    marcusquinnM Online
                    marcusquinn
                    wrote on last edited by
                    #36

                    @jdaviescoates Ditto! If you install Firefox Focus, that adds a bit more privacy capability to all other browsers too. (iOS at least)

                    Web Design https://www.evergreen.je
                    Development https://brandlight.org
                    Life https://marcusquinn.com

                    jdaviescoatesJ 1 Reply Last reply
                    1
                    • marcusquinnM marcusquinn

                      @jdaviescoates Ditto! If you install Firefox Focus, that adds a bit more privacy capability to all other browsers too. (iOS at least)

                      jdaviescoatesJ Offline
                      jdaviescoatesJ Offline
                      jdaviescoates
                      wrote on last edited by jdaviescoates
                      #37

                      @marcusquinn nice, I might give that a spin. I've actually got uBlock Origin and Privacy Badger addons installed on my Firefox Android... but now I'm wondering if they get used/ included in app instances... hope/ guess so!

                      I've recently tried out Bromite (a privacy focused fork of Chromium) after someone mentioned when I tweeted about an annoyance with using Mastodon using Firefox on Andriod (with long toots it's impossible to reply because you can't get down to the Toot button)... I quite like it but even though it's using uBlock and other filters it doesn't seem to actually block as much as Firefox + uBlock (possible because Bromite doesn't support CSS filter, I think).

                      Have you looked into good open source source Chromium forks before? Ideally ones that block ads. I find Twitter works better in Chromium based browsers on Android than on Firefox, but I can't stand seeing ads and I don't see them on Firefox with uBlock...

                      I use Cloudron with Gandi & Hetzner

                      marcusquinnM 1 Reply Last reply
                      1
                      • jdaviescoatesJ jdaviescoates

                        @marcusquinn nice, I might give that a spin. I've actually got uBlock Origin and Privacy Badger addons installed on my Firefox Android... but now I'm wondering if they get used/ included in app instances... hope/ guess so!

                        I've recently tried out Bromite (a privacy focused fork of Chromium) after someone mentioned when I tweeted about an annoyance with using Mastodon using Firefox on Andriod (with long toots it's impossible to reply because you can't get down to the Toot button)... I quite like it but even though it's using uBlock and other filters it doesn't seem to actually block as much as Firefox + uBlock (possible because Bromite doesn't support CSS filter, I think).

                        Have you looked into good open source source Chromium forks before? Ideally ones that block ads. I find Twitter works better in Chromium based browsers on Android than on Firefox, but I can't stand seeing ads and I don't see them on Firefox with uBlock...

                        marcusquinnM Online
                        marcusquinnM Online
                        marcusquinn
                        wrote on last edited by
                        #38

                        @jdaviescoates Big fan of Vivaldi browser on macOS but there's no iOS version, there is an Android though, so worth a play, being a Chromium iteration as I understand.

                        Web Design https://www.evergreen.je
                        Development https://brandlight.org
                        Life https://marcusquinn.com

                        1 Reply Last reply
                        1
                        • njN Offline
                          njN Offline
                          nj
                          wrote on last edited by nj
                          #39

                          The comment thread on this post seems to have diverted from the original topic. I would like to comment on @marcusquinn's request for 2FA for LDAP apps. As @girish has said, we have had a long discussion about it, and the team couldn't come up with a one-size-fits-all solution. I was expecting the PASSWORD;TOTP feature in version 6 too. Here's my understanding and proposed solution:


                          1. Apps that have their own 2FA system, like Gogs, Gitlab, Wiki.JS, etc.
                          NOTE: I have used this trick in quite a few apps to save myself from having dozens of 2FA secrets. I simply replace the app's mfa_secret value with the secret from Cloudron (Hint: while setting up 2FA on your Cloudron account, select to enter code manually, and write the displayed secret in a piece of paper so you can copy it elsewhere).

                          Cloudron has access to the database so Cloudron could automate this process:

                          • enabling 2FA for that user in the app by authenticating as that user.
                          • replacing the TOTP secret in the app with the TOTP secret from the Cloudron user account.

                          The 2FA code from Cloudron will also work on the app, so no need to have per-app 2FA codes. But this approach has downsides:

                          1. The maintainer of this feature needs to keep things updated when the app's database schema changes!
                          2. The apps usually create a new account when the user logs in using LDAP. For the above approach to work, Cloudron should make those changes before the user's account is created on the app.

                          I have only done this with my own account because it's quite time consuming to replace the TOTP Secret for all users of my Cloudron instance; a script would certainly help.


                          2. Apps that do note have native support for 2FA
                          Proposed solutions:

                          • Cloudron adds a feature to support PASSWORD;TOTP as password, and validate TOTP by extracting it from the input. For this to work, all users must be informed. I wish password managers and authenticator apps had a feature to make it easier to auto-fill 2FA codes as well... 🙄
                          • can't think of another way, will add if I can come up with something

                          Enabling 2FA for all apps is an important feature for some users like me, because of compliance reasons & a bit of paranoia. I can't trust everyone to not fall for phishing attacks, so I really wish Cloudron team kept this feature in priority. For the time being, I'm enabling 2FA in per-app basis, and avoiding apps that don't have 2FA built in. ✌

                          Founder / Coder • My Apps

                          girishG H 2 Replies Last reply
                          3
                          • njN nj

                            The comment thread on this post seems to have diverted from the original topic. I would like to comment on @marcusquinn's request for 2FA for LDAP apps. As @girish has said, we have had a long discussion about it, and the team couldn't come up with a one-size-fits-all solution. I was expecting the PASSWORD;TOTP feature in version 6 too. Here's my understanding and proposed solution:


                            1. Apps that have their own 2FA system, like Gogs, Gitlab, Wiki.JS, etc.
                            NOTE: I have used this trick in quite a few apps to save myself from having dozens of 2FA secrets. I simply replace the app's mfa_secret value with the secret from Cloudron (Hint: while setting up 2FA on your Cloudron account, select to enter code manually, and write the displayed secret in a piece of paper so you can copy it elsewhere).

                            Cloudron has access to the database so Cloudron could automate this process:

                            • enabling 2FA for that user in the app by authenticating as that user.
                            • replacing the TOTP secret in the app with the TOTP secret from the Cloudron user account.

                            The 2FA code from Cloudron will also work on the app, so no need to have per-app 2FA codes. But this approach has downsides:

                            1. The maintainer of this feature needs to keep things updated when the app's database schema changes!
                            2. The apps usually create a new account when the user logs in using LDAP. For the above approach to work, Cloudron should make those changes before the user's account is created on the app.

                            I have only done this with my own account because it's quite time consuming to replace the TOTP Secret for all users of my Cloudron instance; a script would certainly help.


                            2. Apps that do note have native support for 2FA
                            Proposed solutions:

                            • Cloudron adds a feature to support PASSWORD;TOTP as password, and validate TOTP by extracting it from the input. For this to work, all users must be informed. I wish password managers and authenticator apps had a feature to make it easier to auto-fill 2FA codes as well... 🙄
                            • can't think of another way, will add if I can come up with something

                            Enabling 2FA for all apps is an important feature for some users like me, because of compliance reasons & a bit of paranoia. I can't trust everyone to not fall for phishing attacks, so I really wish Cloudron team kept this feature in priority. For the time being, I'm enabling 2FA in per-app basis, and avoiding apps that don't have 2FA built in. ✌

                            girishG Offline
                            girishG Offline
                            girish
                            Staff
                            wrote on last edited by
                            #40

                            @nj Apart from what you mentioned, I think for 1) there is also the issue that we somehow need to update the 2FA inside the app's database when the cloudron 2fa changes. Recently, I saw that some apps like rocket.chat can pull 2FA from LDAP. I haven't looked into it closely but maybe some sort of standardization is happening in this space.

                            Can consider this for next release nevertheless. It's actually very easy to implement, the hard part is to not confuse end users. But really, all the hard work has to be done the Cloudron admin to communicate to their users.

                            1 Reply Last reply
                            6
                            • njN nj

                              The comment thread on this post seems to have diverted from the original topic. I would like to comment on @marcusquinn's request for 2FA for LDAP apps. As @girish has said, we have had a long discussion about it, and the team couldn't come up with a one-size-fits-all solution. I was expecting the PASSWORD;TOTP feature in version 6 too. Here's my understanding and proposed solution:


                              1. Apps that have their own 2FA system, like Gogs, Gitlab, Wiki.JS, etc.
                              NOTE: I have used this trick in quite a few apps to save myself from having dozens of 2FA secrets. I simply replace the app's mfa_secret value with the secret from Cloudron (Hint: while setting up 2FA on your Cloudron account, select to enter code manually, and write the displayed secret in a piece of paper so you can copy it elsewhere).

                              Cloudron has access to the database so Cloudron could automate this process:

                              • enabling 2FA for that user in the app by authenticating as that user.
                              • replacing the TOTP secret in the app with the TOTP secret from the Cloudron user account.

                              The 2FA code from Cloudron will also work on the app, so no need to have per-app 2FA codes. But this approach has downsides:

                              1. The maintainer of this feature needs to keep things updated when the app's database schema changes!
                              2. The apps usually create a new account when the user logs in using LDAP. For the above approach to work, Cloudron should make those changes before the user's account is created on the app.

                              I have only done this with my own account because it's quite time consuming to replace the TOTP Secret for all users of my Cloudron instance; a script would certainly help.


                              2. Apps that do note have native support for 2FA
                              Proposed solutions:

                              • Cloudron adds a feature to support PASSWORD;TOTP as password, and validate TOTP by extracting it from the input. For this to work, all users must be informed. I wish password managers and authenticator apps had a feature to make it easier to auto-fill 2FA codes as well... 🙄
                              • can't think of another way, will add if I can come up with something

                              Enabling 2FA for all apps is an important feature for some users like me, because of compliance reasons & a bit of paranoia. I can't trust everyone to not fall for phishing attacks, so I really wish Cloudron team kept this feature in priority. For the time being, I'm enabling 2FA in per-app basis, and avoiding apps that don't have 2FA built in. ✌

                              H Offline
                              H Offline
                              hendrikvl
                              wrote on last edited by
                              #41

                              Just searched the forum for any news on 2FA and am happy that the discussion came up again. I would also endorse the proposal of PASSWORD;TOTP. Having no 2FA for some of the apps makes me somewhat nervous nowadays.
                              I totally understand that this is less than ideal from an UX perspective, but I don't see how it would hurt if admins can optionally enable it.

                              girishG 1 Reply Last reply
                              2
                              • H hendrikvl

                                Just searched the forum for any news on 2FA and am happy that the discussion came up again. I would also endorse the proposal of PASSWORD;TOTP. Having no 2FA for some of the apps makes me somewhat nervous nowadays.
                                I totally understand that this is less than ideal from an UX perspective, but I don't see how it would hurt if admins can optionally enable it.

                                girishG Offline
                                girishG Offline
                                girish
                                Staff
                                wrote on last edited by
                                #42

                                @hendrikvl Yes, we will try to add this in the next release. This current release (6.1) we pushed out has 2FA for the proxy auth apps now.

                                humptydumptyH 1 Reply Last reply
                                4
                                • girishG girish

                                  @hendrikvl Yes, we will try to add this in the next release. This current release (6.1) we pushed out has 2FA for the proxy auth apps now.

                                  humptydumptyH Offline
                                  humptydumptyH Offline
                                  humptydumpty
                                  wrote on last edited by
                                  #43

                                  @girish I just logged into Wordpress (dev) with my CR user that has 2FA enabled and it didn't ask me for the code. Is there an option I need to enable somewhere or is this feature still on the to-do list?

                                  girishG 1 Reply Last reply
                                  1
                                  • humptydumptyH humptydumpty

                                    @girish I just logged into Wordpress (dev) with my CR user that has 2FA enabled and it didn't ask me for the code. Is there an option I need to enable somewhere or is this feature still on the to-do list?

                                    girishG Offline
                                    girishG Offline
                                    girish
                                    Staff
                                    wrote on last edited by girish
                                    #44

                                    @humptydumpty that's correct, this feature didn't get implemented. The 2FA is only implemented on the Cloudron side and not for the apps. There was a parallel discussion going on about how to show what kind of auth is being used in an app in the dashboard. I think we need to show some indication to the user about how to log in before implementing this feature.

                                    1 Reply Last reply
                                    1
                                    • G Offline
                                      G Offline
                                      gog122
                                      wrote on last edited by
                                      #45

                                      3 years later any plans to have 2FA feature ?

                                      1 Reply Last reply
                                      1
                                      • nebulonN Offline
                                        nebulonN Offline
                                        nebulon
                                        Staff
                                        wrote on last edited by
                                        #46

                                        We are moving one app after the other over to OpenID connect where we can use Cloudron 2FA which exists for a long time now. LDAP has no proper standard to do this as such.

                                        1 Reply Last reply
                                        2
                                        • girishG Offline
                                          girishG Offline
                                          girish
                                          Staff
                                          wrote on last edited by
                                          #47

                                          I will mark this as solved. LDAP standard hasn't moved to support 2FA and neither have apps settled on a pseudo standard. There is not much we can do.

                                          1 Reply Last reply
                                          0
                                          • girishG girish marked this topic as a question on
                                          • girishG girish has marked this topic as solved on
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Bookmarks
                                          • Search