2FA to control access per device

Hi all,

I am considering using Seafile for my (small) business. One thing that concerns me is access by employees from multiple devices. Ideally I would like to limit access to one device per user, or to any additional device I have personally authorized. Some research lead me to the conclusion that limiting access on per device basis is not possible in Seafile.

Now I was wondering if I could use 2FA to accomplish the same? Meaning, is it possible to configure 2FA such that the 2nd authorization step always requires my own intervention as an admin; so that someone can only login on a new device with my approval. (SMS OTP always coming on my phone number for example).

Also, if I set up a the seafile client on one PC, how often would I require login in with 2FA on that PC? Only once, and then only again once password or account changes? Or would it periodically ask to verify password + 2fa from time to time?

I’m not a security expert, so wait for reviews about my suggestions and ask more qualified people if possible.

This is a possibility. Afaik Seafile does not provide SMS OTP though but TOTP.
If you’re not familiar with the concept, let me summarize quickly:

  • At 2FA setup, a secret will be given to you, a secret you share with the server.
  • With this secret, you can generate OTP which change like every 30 seconds (standard duration).
  • You usually manage all your secrets in an app on your phone, for example this one:

If you’re the only one who owns the secrets, you’re the only who can grant access to a new device. QED

Unfortunately, you’ll face some issues:

  • Your users can disable 2FA from the Seahub web interface.
  • They can generate recovery codes from the same interface that are basically codes designed to be saved in a secure place in case of you lose your secret. But in your case, they just provide a way to your users to bypass your 2FA control.

But I see some workarounds:

  • Don’t allow Seahub session (you need 2FA to get in), don’t connect your user to the web interface, and they’ll be powerless.
  • Blacklist the following routes (:warning::warning:I’m unsure if this can’t be bypassed or doesn’t break anything :warning::warning: ):
    /profile/two_factor_authentication/disable/
    /profile/two_factor_authentication/backup/tokens/
  • Disable Seahub web interface (or make it reachable only from your device or something)

That’s it.

Other ways that came to my mind

  • Instead of managing TOTP secrets, manage the passwords. There’s no password recovery available for the user unless you set it up. Can be taken as an intrusive solution, though. Even if you can already read all files from the server.
  • Don’t expose Seafile outside your local network. This is a slightly different approach that may or may not fit your case.

Welcome to the Seafile Community Forum!

Your conclusion is correct. You cannot limit the number of devices used by the users.

What you can do though is to restrict the usage of clients. You can disallow desktop and/or mobile clients in the role settings. (This is a Seafile PE feature.)

No, sorry. This won’t work.

As you say: Every time you change your accounts settings.

Have you seen Seafile’s audit log? The audit log tells you

  • when a user has logged in
  • when a user has accessed a file
  • when a user has modified a file
  • a permission was changed.

If you are afraid of data leakage, this is not a preventive measure, but you can monitor activity on your system.

Thanks for the comprehensive explanation! So in short, its possible, but not very convenient.

Yeah, this was our default mode before COVID. We just had a local server in the office, only accessible through the local network.

Now we’re working from home, so this was no longer a solution. We went with Onedrive for convenience, just a single account, everyone using the same login. But we are now starting to realize the problems with that. So that’s why we are looking into Seafile as a possible affordable alternative that addresses some of these issues.

The main concern was how to deal with people leaving the organization, and their access to our data. My first thought was to limit access to the devices we own as a company. However, the more I think about it, remote wipe combined with the ability to monitor connections is probably sufficient to address this as well - and logistically more convenient as well, since it would allow people to work on their own machines. Many of our employees have temporarily moved back to their home towns (which is often quite a distance from the office) - most of them have taken a machine from office, but its not a very practical solution.

If people want to steal information and share it outside our organization, limiting device access makes that a little more difficult, but certainly not impossible. I guess anyone with such intent will find their way regardless.

Thanks for your answer.

Restricting use of mobile clients is a usefule feature, wasn’t aware of that.

Restricing use of PC clients is not workable, since that’s the main way I envision we would use it.

Ok, the famous work-from-home problem…

What I’ve mainly seen to mitigate this issue is a Remote Desktop with strong restrictions (no access to external drives, no copy allowed to the host, etc.) with paranoid good monitoring.

If you use Seafile as it, people will have a local copy of the data and then you simply won’t know what they are doing with it.