After upgrade disable/enable 2fa generates a new code

[wahlis]

Steps to reproduce

Upgrade to 11.0.1
Log in after session timout
Expected behaviour

After entering code I should be able to login

Actual behaviour

TOTP (Google Authenticator) Swedish error message "Fel vid verifiering av tvåfaktorsautentisering."
New prompt to add Authentication code

After using a backup code I was able to login. Disabling 2fa let me login again. When I re-enable it a new key is generated.

This behaviour was not before the upgrade. I have had some issues with OPDS not working with app passwords so I have disabled and the re-enabled 2fa several times before.

Server configuration

Operating system:
Ubuntu 16.04.1 LTS

Web server:
Apache 2.4.18

Database:
mysql-server-core-5.7.16

PHP version:
7.0.13

Nextcloud version: (see Nextcloud admin page)
11.0.1

Updated from an older Nextcloud/ownCloud or fresh install:
Update

[ChristophWurst]

When I re-enable it a new key is generated.

This is expected.

Did you change any of your config values in config/config.php?

[wahlis]

I would argue that it is not expected that a new key is generated by ticking a checkbox. To me the checkbox only enables or disables the functionality. Before a new key is generated I would expect to make a confirmation of the change.

I did not change the config before getting this behaviour. However the version number was changed by the updater during the upgrade.

[Aybee2k]

The Same here but we don´t have a Backup Code.....

TOTP (Google Authenticator)
Bitte authentifizieren Sie sich mit dem ausgewählten zweiten Faktor.
Es ist ein Fehler bei der Verifizierung des Tokens aufgetreten

TOTP (Google Authenticator)
Please authenticate with the selected second factor.
An error occurred while verifying the token

[ChristophWurst]

This is strange. So it happened like

• install twofactor_totp on Nextcloud 10
• use TOTP 2FA successfully
• update to NC11 -> TOTP stops working
• re-generate TOTP secret and re-configure smartphone app
• TOTP works again

right?

[wahlis]

Yes.

But also

• Uncheck "Activate TOTP"
• Check "Activate TOTP"
• New code is generated.

To me this is completely broken. There is no information that things will change when i tick the check box. There is no confirmation to inform me that a change has taken place.

After activating a code is displayed, but there is no information to tell me that this code is a new one and not my previous code.

If I untick the checkbox by mistake and then tick it again my login will be broken without any confirmation or information about this change.

Correct behaviour should be that the information is retained. When I re-enable TOTP I should be given the choice to generate a new code.

Nothing should be changed without either a confirmation dialogue or a save button.

[ChristophWurst]

If I untick the checkbox by mistake and then tick it again my login will be broken without any confirmation or information about this change.

True. There are two things we can do to prevent this. First, password confirmation which we implemented already. Second, we should show a hint/warning.