Support two-factor authentication (2FA) for non-Pro version


I originally created this as a request on GitHub for Seahub:

I really appreciate your work on Seafile/Seahub and, while I understand the requirement to differentiate the Pro version for monetisation reasons, disallowing two-factor authentication (2FA) for the community version is, for me, an odd and potentially dangerous decision.

Two-factor authentication should not be considered a feature. It is a fundamental necessity in the modern cloud era to protect our information from malicious attackers and provides a hugely comforting safety net in a situation where a password is stolen or compromised.

I sincerely hope that you will consider enabling this feature for the community version of Seafile/Seahub, for the sake of your users’ safety and security.

Many thanks again for your time and effort.


yes - i think, that safty features should be available in all versions.

Imagine the reputation damage, if one must admit, a hack on seafile only succeeded because no 2fa was available.

i say it again - do all kind of controlling features in pro (ldap, statistiks, tracking, …).
in business this kind of things are needed.
safty features are essential and should be available to everyone!!!


@Ludger Agreed completely. We’ve already seen the massive backlash that can occur over security incidents on personal cloud services with the recent NextCloud incident.

2FA is a golden standard for easy and reliable security. It should be available for free on all platforms and applications.

I also agree that features like LDAP, analytics, statistics and other “enterprise”-oriented features can be fairly justified for inclusion in the Pro version only. It is important for the Seafile company to be able to monetise their product, and most business customers are more than happy to pay for such features.


@daniel.pan @Seafile-Team
I would like to ask you, think again about 2FA for Community Edition.
Nowadays is a must-have, to secure a login via a 2FA mechanism. But I can also understand that the implementation of this function has cost some resources. It would be conceivable over a donation (Crowdfund),to make this feature available in Community Edition?

Personally, I do not think it would be useful if we have a second implementation only for the Community Edition. That would increase the effort of maintenance only.

Big Thanks for the great project Seafile

1 Like

Okay, we will add the two-factor authentication to community edition.


@daniel.pan That’s great news! Thank you for reconsidering. 2FA will make an already great piece of software even greater!

I am so glad to hear that, thanks for the effort!
Will WebDAV access be possible with 2fa? Will we need to use a token instead of a password for authentication?

We don’t have a plan to support WebDAV for 2fa yet.

If you require two factor you should maybe keep webDAV disabled for security reasons anyways.
What do you think?

What’s the problem with WebDAV? I don’t think it’s less secure than the seafile protocol. A solution could be to use a token as a password (of course, with all of the changes that that would need to work).

no problem at all. As far as I know it’s a very basic protocol which is harder to secure in terms of session control or am I wrong here?

is it possible to give us a timeline for implementation

But if you require your 2FA token instead of the password for the WebDAV authentication, you actually don’t have two factors anymore, because the first factor, your password, is not used anymore.
And I don’t think that this can possibly work without support for something like that in the HTTP/WebDAV protocol and actually any WebDAV client.

Once you login using 2FA (or not), the server gives the client you are using a token to authenticate its requests, that token can be targeted (the token will only allow the client to upload a file, or access a specific resource, with the server being able to trace changes back to the owner of the token) and/or temporal (it will only last for 7 days), unlike a password that allows you to impersonate the user to the latest extent. The token in this case is used to identify something else than the user, a client that can access the WebDAV service. Because of that, if a token gets leaked, the situation isn’t as bad as having a password leak, and it’s easier to detect too.

We plan to add 2FA to community edition in version 6.2. But we don’t have plan to support WebDAV yet.


But if you require your 2FA token instead of the password for the WebDAV authentication, you actually don’t have two factors anymore, because the first factor, your password, is not used anymore.

yes - maybe its possible to kombine both to one long password.


this way you need both and it should be possible to implemented easily

I noticed that version 6.2 is planned in September, but there is mention of 2FA in your roadmap.
Is the 2FA still coming in this (community) version?

yes, it will be in CE.


Hi Daniel,

I have installed v6.2 and it looks very good.
The only thing which I am missing is the visible code (not the QR code).
‘Normally’ this code is printed under the QR code, so I can write it down or store it in my online safe.

I found the code in the source code (when the QR code is displayed), but it would be handy when it is printed on the screen.

Again; very good and thank you for integrating 2FA in the CE.


While in general use 2FA you can still limit webdav using nginx allow deny directives.

location /seafdav {
deny all;


1 Like