[Request] Jottacloud 2FA


#1

Hi, I am a very satisfied user of Duplicati 2 since November last year and have since uploaded a couple dozen TB to jottacloud.

I use the regular jottacloud apps (Desktop/Mobile) as well and have some unencrypted, sensitive documents there. For this reason, I would really like to use 2FA on jottacloud.com

I understand this would require Duplicati to not only store my jotta credentials, but an authorization token instead, that contains the session data after entering valid 2FA credetials.

Is there any way you could implement this? jotta is my only “main” service I am currently using without proper 2FA in place.

Thank you


#2

Since the Duplicati backend is based on a non-official reverse engineered API, it might not be that easy to do. We are, though, already looking into upgrading the backend to a new API that Jottacloud has for uploading files (which should speed up the backup process). It could be that we find something that enables us to implement 2FA in that process, but no promises…


#3

Thank you for the quick reply. This is more than I could have hoped, knowing about the unofficial nature of the current api-connection.

Looking forward to whatever you guys are able to implement.


Jottacloud Error 401 (Unauthorized)
#4

While trying to answer #4232, I discovered Changes to Jottacloud authentication. OpenID Connect mentions “Multi-factor authentication” among its potential future benefits, but I wondered if there are also compatibility impacts from this on third party software like JaFS (whose Jottacloud background info helped) and Duplicati.

Because @albertony seems central to both of those packages (thanks!), let me see if I can get an opinion.


#5

I have seen that, but not had the chance to look into what effect it has on my code. Regular username/password authentication still seem to work (assuming #3929 was caused by something else…), but I fear that it will not last and we must handle OpenID (not only for the added feature of 2FA/MFA support). If anyone feel like helping find out how this stuff works, it would be appreciated…


#6

I will not be able to contribute much, except for this tip:
Try and talk to jottacloud directly. They have so far been very helpful, when asked questions.

OpenID seems the most stable way to go.


#7

Jottacloud support has recently been implemented in rclone. That will be interesting to try out, and to follow its development!

The initial version seems to follow the same principles as the implementation in Duplicati, and since there is mentioning of it being partly based on the work on JaFS, which was also the foundation for the Duplicati backend, that is not surprising. But there is also a pull request where support for the new API and OAuth is being implemented (using information from ttyridal if anyone is interested in some more details). That is something we can use as a reference for improvement in the Duplicati backend as well. Unfortunately there is no 2FA support (I think) i rclone’s implementation either, and as discussed in the pull request it is a bit risky since they have generated an API key that are being embedded in the implementation, and it could easily be revoked at any point. Maybe we should support both the existing and the new API/authentication, with a configuration option to decide, as long as the existing still work…


#8

is there any way I could help here? jotta could deprecate the old auth method any day…