Seems that upgrades in Nextcloud have a propensity to break 2FA provider apps as this is apparently something that bit people going to NC15 but in our case got us after we upgraded to NC16
Far as I can tell, what happens is that you have upgraded to the latest NextCloud before a compatible version of your 2FA providers “apps” is available (why you would release without 2FA is beyond me), and so the provider apps get disabled.
When you try to log in, all you’ll see is this:
To fix this, run the following in the nextcloud web root – these sudo commands have to be run as the same UID as the owner of the config file, so if in your environment you aren’t running nextcloud under www-data then you’ll have to adjust the sudo commands as necessary to specify the correct user.
NB: that I’m running these sudo commands as root, so I don’t need any sudo pre-configuration as such to allow me to run these as www-data.
First, identify what 2FA provides your affected user has configured – so, for a user called “adminusername”:
# sudo -u www-data php occ twofactorauth:state adminusername Two-factor authentication is enabled for user adminusername Enabled providers: - totp - u2f Disabled providers: - backup_codes
So, what we see here is this user had both TOTP and U2F (but, tsk, no backup codes – in our experience, twofactor_backup_codes was still working, so a user with backup codes would be able to still log in – you’d still have to understand what to do to fix your install though!)
Check to see if your modules are missing:
# sudo -u www-data php occ app:list | grep twofactor - twofactor_backupcodes: 1.5.0
Uh-oh, no twofactor_totp OR twofactor_u2f.
Make sure your nextcloud apps are up to date:
# sudo -u www-data php occ app:update --all
Then re-enable your twofactor provider apps, so for “totp” and “u2f”, you want:
# sudo -u www-data php occ app:enable twofactor_totp twofactor_totp enabled # sudo -u www-data php occ app:enable twofactor_u2f twofactor_u2f enabled
Now you should be able to log back in as normal with your 2FA.