How to introduce two-factor authentication to nextcloud on Raspberry Pi 4 ?

nextcloud
Reading Time: 4 minutes

I put two-factor authentication mechanism in nextcloud on Raspberry Pi 4!

I want to use nextcloud from the Internet.
But if password is leaked, data can be seen …
Is there any way to avoid it?
I heard two-factor authentication is useful.

You can find solution after reading this post.

What is two-factor authentication?

As you know two-factor authentication is a method which strengthen security.

Normal authentication requires you to enter password which corresponds to your username.
This is based on the concept shown below.
Only 1 person (usually yourself) knows your password.

However, as you can see in the news, there are many cases that sensitive data including password are stolen.
The most recent was Spotify.

Spotify resets up to 350,000 passwords linked to third-party data leak
This is a lesson not to re-use your passwords.

Therefore, password based authentication is not enough and we need to think about additional authentication.
Doing that is safer than now even if password is leaked.

Majority of realizing this is so called two-factor authentication, which is non fixed password authentication.

There are various instance of realizing two-factor authentication.
The major method is to display one-time password on your smartphone app and input it to the authentication field.
The one-time password is valid on short time.
– usually 1 minute

So even if attacker steals one-time password, it cannot be used because valid period of one-time password is very short.

This is based on the following concepts: 
– Password (I know authentication)
I know the password which only the user to be authenticated knows
-> system can treat me as user
Other example: secret question (maiden name of mother, or others)
– Smartphone app (I have authentication)
I have the smartphone which only the user to be authenticated has
-> system can treat me as user
Other example: fingerprint authentication

You might have seen a site that requests you to set an additional password used in two-factor authentication.
But this means that you have setup two “I know authentication” in terms of shown above.
This increases security of course, however to use “I have authentication” such as smartphone apps or fingerprints (or others) is more secure.

In this post I will show two-factor authentication with smartphone app to nextcloud.

Installing two-factor authentication in nextcloud

This is easy.
Just install application in nextcloud.

I will show you to put an app called Two-Factor TOTP Provider.
– You can find other apps, you can choose any of them.

Two-Factor TOTP Provider - Apps - App Store - Nextcloud
The Nextcloud App Store - Upload your apps and install new apps onto your Nextcloud

Log in with your nextcloud admin and choose “Apps”.

The security item is Two-Factor TOTP Provider, so install it.

That’s it!
You can now use two-factor authentication!

The next step is to activate two-factor authentication for each user.
First, go to the user’s settings page.

There is a checkbox called TOTP enable, so check it.


Then QR code will be displayed as follows.

Now install two-factor authentication app on your smartphone.
I use the Google Authenticator.

Google Authenticator - Apps on Google Play
Enable 2-step verification to protect your account from hijacking.

When you scan the above QR code by authentication app, nextcloud user information is registered in authentication app, and a one-time password corresponding to the user can be created periodically from then on.

Enter the one-time password displayed at that time into the authentication code and you are ready to go.

Trying two-factor authentication

Let’s log out and log in once again.

After entering the password, below page is shown to request one-time password.

If you put the 6 digits displayed in the authentication app here, the login will be successful.

Note

When you want to stop two-factor authentication, please do operation as follows.
– Stop using two-factor authentication in nextcloud.
– Log out, log in and confirm that you are not required one-time password.
– Delete corresponding one-time password generator in authentication app.

If you delete authentication app or one-time password generator first , you can never log in!!

Conclusion

How was it?

I think we’ve achieved strong security.

Next time, I would like to try talk, which is an app of nextcloud!

Comments

タイトルとURLをコピーしました