Starting with Nextcloud 10, it is possible to plug custom two-factor auth apps into Nextcloud’s authentication system. One of the most popular second factors is TOTP, also known as Google Authenticator, for which I have created a 2FA provider app for Nextcloud.

TOTP – how it works

TOTP is an example of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.

https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

That means your server and your smartphone app share a secret. Whenever a user wants to authenticate on Nextcloud, the smartphone app creates a new time-based password using the shared secret. After the users entered that password into Nextcloud, the server can use the shared secret to verify the password.

Installing and enabling the app

You can grab the latest version from the app store, from within your Nextcloud’s admin web interface. Alternatively, you’ll find a packaged version of the app on the project’s GitHub page.

Go to the admin's app page Find the app in the *Tools* category

Enabling TOTP on your account

Now log into a user’s account and go to the personal settings page.

Go to your personal settings

You’ll see that the TOTP second factor is still disabled for your account. If you haven’t installed a TOTP app yet, this is the step where you’ll need one. Personally, I can recommend OTP Authenticator, which is available on F-Droid. There are many other apps you can use, like the proprietary Google Authenticator for Android and iOS. TOTP is disabled by default

Now, click “Enable TOTP” to generate a new secret. You’ll see the secret and a QR-code, that can be scanned by your TOTP app: The newly generated TOTP secret is shown. Next to it you'll see a QR-code

Depending on which TOTP smartphone app you’re using, type in your generated secret or scan the QR code. And that’s it. Now your account is protected by a second factor.

Logging in using a TOTP code

Now let’s log out and in again to see the 2FA challenge:

The 2FA challenge page

Select the TOTP provider. Next, you’ll be prompted to enter a TOTP code. So grab your phone again, open the TOTP app and enter the 6-digit code that has been generated for you:

Type in your TOTP code

If everything was set up correctly, you’ll be redirected to your Nextcloud account. Since the code is time-based, it’s important that your server’s and your smartphone’s clock are almost in sync. A time drift of a few seconds won’t be a problem.

Enhancements planned for Nextcloud 11

Based on the feedback I already got, I’ve made some small enhancements that will be included in Nextcloud 11:

Known problems

Please let me know about any other problems on GitHub.