I am considering using Seafile for my (small) business. One thing that concerns me is access by employees from multiple devices. Ideally I would like to limit access to one device per user, or to any additional device I have personally authorized. Some research lead me to the conclusion that limiting access on per device basis is not possible in Seafile.
Now I was wondering if I could use 2FA to accomplish the same? Meaning, is it possible to configure 2FA such that the 2nd authorization step always requires my own intervention as an admin; so that someone can only login on a new device with my approval. (SMS OTP always coming on my phone number for example).
Also, if I set up a the seafile client on one PC, how often would I require login in with 2FA on that PC? Only once, and then only again once password or account changes? Or would it periodically ask to verify password + 2fa from time to time?
If you’re the only one who owns the secrets, you’re the only who can grant access to a new device. QED
Unfortunately, you’ll face some issues:
Your users can disable 2FA from the Seahub web interface.
They can generate recovery codes from the same interface that are basically codes designed to be saved in a secure place in case of you lose your secret. But in your case, they just provide a way to your users to bypass your 2FA control.
But I see some workarounds:
Don’t allow Seahub session (you need 2FA to get in), don’t connect your user to the web interface, and they’ll be powerless.
Blacklist the following routes (I’m unsure if this can’t be bypassed or doesn’t break anything ):
Disable Seahub web interface (or make it reachable only from your device or something)
Other ways that came to my mind
Instead of managing TOTP secrets, manage the passwords. There’s no password recovery available for the user unless you set it up. Can be taken as an intrusive solution, though. Even if you can already read all files from the server.
Don’t expose Seafile outside your local network. This is a slightly different approach that may or may not fit your case.
Thanks for the comprehensive explanation! So in short, its possible, but not very convenient.
Yeah, this was our default mode before COVID. We just had a local server in the office, only accessible through the local network.
Now we’re working from home, so this was no longer a solution. We went with Onedrive for convenience, just a single account, everyone using the same login. But we are now starting to realize the problems with that. So that’s why we are looking into Seafile as a possible affordable alternative that addresses some of these issues.
The main concern was how to deal with people leaving the organization, and their access to our data. My first thought was to limit access to the devices we own as a company. However, the more I think about it, remote wipe combined with the ability to monitor connections is probably sufficient to address this as well - and logistically more convenient as well, since it would allow people to work on their own machines. Many of our employees have temporarily moved back to their home towns (which is often quite a distance from the office) - most of them have taken a machine from office, but its not a very practical solution.
If people want to steal information and share it outside our organization, limiting device access makes that a little more difficult, but certainly not impossible. I guess anyone with such intent will find their way regardless.