github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-14 11:56:41 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Allow U2F 2FA when TOTP is disabled #2576

New Issue
Closed
opened 2025-11-02 04:40:57 -06:00 by GiteaMirror · 10 comments
GiteaMirror commented 2025-11-02 04:40:57 -06:00
Owner
Copy Link

Originally created by @rugk on GitHub (Nov 26, 2018).

Similar to GitLab you seem to require TOTOP 2FA to be setup before I can enable U2F.

Obviously this is a silly requirement, as I should be able to enable what I want and there is no reason to force TOTP to be enabled. Obviously it should still enable the recovery password (you seem to call it "one-time password").

See e.g. how any other website does it.

Originally created by @rugk on GitHub (Nov 26, 2018). Similar to GitLab you seem to require TOTOP 2FA to be setup before I can enable U2F. Obviously this is a silly requirement, as I should be able to enable what I want and there is no reason to force TOTP to be enabled. Obviously it should still enable the recovery password (you seem to call it "one-time password"). See e.g. how any other website does it.
GiteaMirror added the type/proposal label 2025-11-02 04:40:57 -06:00
GiteaMirror commented 2025-11-02 04:40:58 -06:00
Author
Owner
Copy Link

@lafriks commented on GitHub (Nov 26, 2018):

Yeah it's kind of for historical reasons but I agree this can be improved

@lafriks commented on GitHub (Nov 26, 2018): Yeah it's kind of for historical reasons but I agree this can be improved
GiteaMirror commented 2025-11-02 04:40:58 -06:00
Author
Owner
Copy Link

@jonasfranz commented on GitHub (Nov 27, 2018):

There are reasons to force you to enable TOTP since many devices do not support U2F 2FA (iOS, IE, Edge, etc. etc.). This protects you from locking yourself out from your account.

@jonasfranz commented on GitHub (Nov 27, 2018): There are reasons to force you to enable TOTP since many devices do not support U2F 2FA (iOS, IE, Edge, etc. etc.). This protects you from locking yourself out from your account.
GiteaMirror commented 2025-11-02 04:40:58 -06:00
Author
Owner
Copy Link

@rugk commented on GitHub (Nov 27, 2018):

Hu? You cannot enable U2F 2FA (or, you, at least, should not be able to) if the browser does not support it. Then you can't be locked out from your account.

Generally said, of course, if enabling a 2FA method fails, it should obviously cancel all that whole thing and not force it on the next login.

@rugk commented on GitHub (Nov 27, 2018): Hu? You cannot enable U2F 2FA (or, you, at least, should not be able to) if the browser does not support it. Then you can't be locked out from your account. Generally said, of course, if enabling a 2FA method fails, it should obviously cancel all that whole thing and not force it on the next login.
GiteaMirror commented 2025-11-02 04:40:58 -06:00
Author
Owner
Copy Link

@tankerkiller125 commented on GitHub (Dec 1, 2018):

@rugk let's say I setup my account through chrome on the desktop and I suddenly have a need to login on a mobile device for some reason, how am I supposed to to get into my account without TOTP since my mobile device doesn't support U2F? By forcing TOTP first this issue is completely resolved and system admins won't have employees calling them about something that's basically a stupid issue.

@tankerkiller125 commented on GitHub (Dec 1, 2018): @rugk let's say I setup my account through chrome on the desktop and I suddenly have a need to login on a mobile device for some reason, how am I supposed to to get into my account without TOTP since my mobile device doesn't support U2F? By forcing TOTP first this issue is completely resolved and system admins won't have employees calling them about something that's basically a stupid issue.
GiteaMirror commented 2025-11-02 04:40:59 -06:00
Author
Owner
Copy Link

@rugk commented on GitHub (Dec 1, 2018):

Okay, I get it. It's about cross-browser/device login…

Obviously as a user you would (have to) know what method you can use where and how.
In the same way, you can also just set it up on a mobile phone and then forget that you need your mobile phone for login on a desktop.
Or that you sign-up to a service on one device, save it in a password manager/browser and then cannot sign up on another one. (that is equivalent to 2FA issues…)
Or that you have two mobile phones and added it the TOTP code on one phone only, so you cannot login when you use the other phone.

It has to be obvious (and I think it is) that all these examples do not work and you blame yourself as a user if you forget your 2FA phone or so.
It's obviously the same if use an U2F key and I guess it is quite obvious to the user that they cannot plug that into their phone (without an adapter 😉). But, of course, you can use U2F keys on phones too, if your phone and the key has NFC.
So actually you are assuming a very tight scenario you are trying to protect the user that may not really apply (NFC) and may not really an issue the users really ran into. (As said, I'd say you can assume they are "intelligent" enough to get that you cannot login with an USB key on your phone if it's not compatible, i.e. NFC.)

Also U2F key 2FA is obviously more secure than just TOTP (e.g. against phishing), so I as a user may choose to deliberately only enable U2F, not TOTP.

And as you can see no other service (except of Gitlab, but they also want to change it: https://gitlab.com/gitlab-org/gitlab-ce/issues/48918) forces TOTP for U2F activation. And I'd say many people on GitHub etc. thought about the whole thing in detail.

If you want, you may just add a note/warning when enabling U2F that this cannot be used on some browsers/devices or so, but users may already know this anyway…

@rugk commented on GitHub (Dec 1, 2018): Okay, I get it. It's about cross-browser/device login… Obviously as a user you would (have to) know what method you can use where and how. In the same way, you can also just set it up on a mobile phone and then forget that you need your mobile phone for login on a desktop. Or that you sign-up to a service on one device, save it in a password manager/browser and then cannot sign up on another one. (that is equivalent to 2FA issues…) Or that you have two mobile phones and added it the TOTP code on one phone only, so you cannot login when you use the other phone. It has to be obvious (and I think it is) that all these examples do not work and you blame yourself as a user if you forget your 2FA phone or so. It's obviously the same if use an U2F key and I guess it is quite obvious to the user that they cannot plug that into their phone (without an adapter :wink:). But, of course, you can use U2F keys on phones too, if your phone and the key has NFC. So actually you are assuming a very tight scenario you are trying to protect the user that may not really apply (NFC) and may not really an issue the users really ran into. (As said, I'd say you can assume they are "intelligent" enough to get that you cannot login with an USB key on your phone if it's not compatible, i.e. NFC.) Also U2F key 2FA is obviously more secure than just TOTP (e.g. against phishing), so I as a user may choose to deliberately only enable U2F, not TOTP. And as you can see no other service (except of Gitlab, but they also want to change it: https://gitlab.com/gitlab-org/gitlab-ce/issues/48918) forces TOTP for U2F activation. And I'd say many people on GitHub etc. thought about the whole thing in detail. If you want, you may just add a note/warning when enabling U2F that this cannot be used on some browsers/devices or so, but users may already know this anyway…
GiteaMirror commented 2025-11-02 04:40:59 -06:00
Author
Owner
Copy Link

@tankerkiller125 commented on GitHub (Dec 1, 2018):

@rugk don't get me wrong I think 99% of developers using this understand how all of this works however theirs always some companies that let marketing, sales or other groups use a login and those groups unfortunately (at least in my experience) lack the skill or thought process required to understand that something might not work across all devices.

@tankerkiller125 commented on GitHub (Dec 1, 2018): @rugk don't get me wrong I think 99% of developers using this understand how all of this works however theirs always some companies that let marketing, sales or other groups use a login and those groups unfortunately (at least in my experience) lack the skill or thought process required to understand that something might not work across all devices.
GiteaMirror commented 2025-11-02 04:40:59 -06:00
Author
Owner
Copy Link

@jonasfranz commented on GitHub (Dec 2, 2018):

@rugk GitHub also forces TOTP if you want to use U2F.

@jonasfranz commented on GitHub (Dec 2, 2018): @rugk GitHub also forces TOTP if you want to use U2F.
GiteaMirror commented 2025-11-02 04:40:59 -06:00
Author
Owner
Copy Link

@rugk commented on GitHub (Dec 2, 2018):

@JonasFranzDEV Really? That would be stupid, too. Cannot test it, however…

@rugk commented on GitHub (Dec 2, 2018): @JonasFranzDEV Really? That would be stupid, too. Cannot test it, however…
GiteaMirror commented 2025-11-02 04:41:00 -06:00
Author
Owner
Copy Link

@roschler commented on GitHub (Apr 22, 2019):

Adding my vote for the ability to use U2F without requiring a phone.

@roschler commented on GitHub (Apr 22, 2019): Adding my vote for the ability to use U2F without requiring a phone.
GiteaMirror commented 2025-11-02 04:41:00 -06:00
Author
Owner
Copy Link

@voretaq7 commented on GitHub (Jul 17, 2020):

U2F without TOTP is eminently reasonable: These are two separate technologies, there is no reason to force one to enable the other. (Everyone thinks it would be unreasonable to require U2F to enable TOTP, right?)

Plus it maps to my org's use pattern better: Your SSH key is on your YubiKey, it's logical that your YubiKey is also the thing you need to use to access the web UI.

#11573 seems like a reasonable patch to me (needs some polish detecting 2FA is enabled if the user is U2F only which is ongoing).

@voretaq7 commented on GitHub (Jul 17, 2020): U2F without TOTP is eminently reasonable: These are two separate technologies, there is no reason to force one to enable the other. (Everyone thinks it would be unreasonable to require U2F to enable TOTP, right?) Plus it maps to my org's use pattern better: Your SSH key is on your YubiKey, it's logical that your YubiKey is also the thing you need to use to access the web UI. #11573 seems like a reasonable patch to me (needs some polish detecting 2FA is enabled if the user is U2F only which is ongoing).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/proposal
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#2576
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?