If tech sites would write about every individual data leak, they’d have no time to cover anything else. Generally, only email-and-password leaks numbered in the millions get covered. LinkedIn: 164 million. Adobe: 38 million. MySpace: 359 million. Facebook: 200 to 600 million.
It should be painfully clear that you can’t count on large tech companies to secure data sufficiently. The more important point here is, however, that passwords do not offer sufficient security. Most experts agree that it is time for a radical change. But how? A few solutions exist.
There are dozens of websites like Have I Been Pwned who inform users about theft of their accounts – Nextcloud uses this service to block users picking a leaked combination of username and passwords. The problem here is, of course, that users tend to re-use passwords across services. Password managers offer a solution to this, automatically generating a secure password for each site a user uses. While that does create a single location which could be hacked, there have been no known, large password manager leaks yet.
Another solution is single sign-on. Users can log into various services using their Google or Facebook account. The advantage is, indeed, that you only need to remember one password. The downside is, of course, that these companies gain incredible power and know everything the user does. The vendor-lock-in is severe. Users who wanted to cancel Facebook accounts due to the continuing stream of security, privacy and ethical violations discovered they would lose attached accounts. For example, a Spotify account, with all favorite music and playlists, would disappear as well.
A far better solution is second-factor authentication (2fa). This essentially means that rather than logging in with a single method of identity verification, like knowledge of a password, a service will ask for a second verification factor. For example, a code the user receives in a SMS or from an app. This would prove that not only does the user know the password, he/she also has his or her phone on them. An attacker would of course have a much harder time getting their hands on both.
Is this more secure? You bet it is. While SMS itself is not the most secure method, Microsoft has estimated that 99.9% of all attacks on Hotmail and Outlook accounts is blocked by 2fa.
So why does not everybody use a second factor like an SMS to secure logging in? There is a variety of reasons for this. With regards to SMS as second factor, users are worried about the privacy implications. They are not comfortable handing over their phone number to a service, and those worries are not unjustified. Last year, it turned out that Facebook was using the phone numbers users gave for second-factor authentication for advertisement.
But there are other issues. Two-factor authentication via SMS is relatively easy, but other factors, like TOTP, which requires users to install an app, scan a qr code on the screen and then manually enter codes, are far more complicated. Or expensive – while hardware keys are easy to use and very secure, the prices are typically over 50 euro for a key.
So 2FA is a great solution, but it tends to complicate things. How does Nextcloud deal with this dilemma?
Our security team always works with two simple but important assumptions: if it is difficult to use, it is less secure. And not all users are the same!
We therefore designed a number of second factors and allow administrators and users to enable and use any number of them. Currently, the following are supported and we’ll explain each of them quickly:
Now, as you can imagine, each of these methods has its downsides and benefits. SMS are quite easy – if you have set it up as administrator and if you trust the telephone network. Signal and Telegram are nice as well, but it is hard to guarantee that all users have these chat apps!
TOTP has many apps available and can be used on many devices but is more complicated, U2F is very secure but expensive. Receiving a code in an email is a familiar method but emails can be intercepted. Notifications are supremely easy to use and secure. That last option should not be missing on Nextcloud installations!
Backup codes are a great way to ensure users don’t get stuck without being able to log in.
Let’s dive deeper into all these methods so you know what their benefits and downsides are, and which you should consider enabling on your Nextcloud server.
This ‘factor’ is a device-generated code. This code can be used to log in, usually only once. An OTP code can have an expiration date, though often they are quite long. The user has to enter them to log in.
The popular time-based variant changes the code frequently – the most used TOTP standard generates 6 digits every 30 seconds. There are hardware tokens which have a simple display showing the codes. On mobile phones, various apps for implement this standard, from the Google Authenticator app to various free and paid alternatives.
To set up TOTP, users have to give the TOTP device a long code to initiate the connection, in many cases this can be done by scanning a QR code to avoid having to type anything.
During use, a TOTP device does not need to communicate with the service being used, it does not even need to know anything about it. This thus works without connection or on a local, firewalled network.
A downside of TOTP is that it is vulnerable to various forms of man-in-the-middle attacks. A hacker can set up a fake website designed to trick visitors into submitting their credentials. When a user falls into the trap and enters their information, the hacker gains access to their account. This attack is not easy to pull off: users have to visit the site of the attacker and mistake it for their usual website.
When enabled by the admin, users can set up TOTP in their security settings:
U2F is a bit similar to OTP, in that a device generates a code. But, unlike OTP, users don’t have to enter it. The process has to be handled by the client, for example a browser, or an application, directly. A U2F device thus has to be connected physically. USB or NFC are the most typically used methods for this.
The service will communicate with the U2F device, using a public key encryption and a challenge-response model, which makes it impossible to ‘attack’ using the man-in-the-middle attack that (T)OTP is vulnerable to.
The downside is the need of support for the devices. Browsers and apps all have to work with this and connecting a phone to a computer via USB or NFC, or connecting a hardware U2F key to a phone can be difficult in some situations.
U2F can also be setup by users in their security settings:
Many users are probably familiar with receiving a code through SMS and entering it into a website login portal. Nextcloud supports connecting to such a ‘SMS gateway’, and can also use Telegram and Signal through this system. While it is not extremely hard to intercept an SMS, Telegram and Signal messages are quite secure. Unfortunately, not many users have these apps installed, so they are not suitable as general solutions for all users.
Another issue is that it takes some work from the system administrator to set up and configure these methods. You can find documentation here.
The fourth method is also rather familiar to users: receiving a code in their email. While email, too, is relatively easy to intercept, this nonetheless makes logging in a lot more secure and it is easy to set up and use.
Probably the easiest way for users to log into their Nextcloud is through a notification on an existing device or session. Nextcloud will simply create a notification, allowing the user to click ‘approve’ or ‘deny’. This works from a browser session, mobile phone and desktop client and requires no configuration on the side of the user.
In the user security settings, a option for creating backup codes is given. This allows the user to generate a series of codes and store them in a secure location. Each of these codes can be used, once, as second factor to log into Nextcloud. If all other methods fail, this gives the user still access to their account…
In case all else fails, users can contact their system administrator. If enabled, the admin can create a one-time login code the user can use as second factor. To make it easy for companies to delegate this to personnel in a support team without giving them full administrator access, group admins also have the ability to create second-factor backup codes for their users.
Recapping: second-factors are incredibly important to secure accounts. While they typically have some drawbacks, the wide range of options in Nextcloud, including the incredibly user friendly ‘notification’ option, make 2fa a must-have on Nextcloud. Enable it today and leave feedback on your experience below!
Nextcloud has been recognized with the World Summit Award Germany that selects and promotes local digital innovation improving society, aiming to contribute to the United Nations' agenda of sustainable development goals.
Read More
Nextcloud has been awarded Platinum at the IT Awards 2024. Today, we celebrate this win together!
Read More
The first ethical, open-source AI assistant that can get a multitude of tasks done for you without compromising your data.
Read More
Nextcloud Hub 9 lets you stay connected. Discover new federation features, workflow automation, big design overhaul and much much more in your favourite open-source collaboration platform!
Read More
DIE ZEIT, a prominent German outlet, interviewed Nextcloud’s founder Frank Karlitschek for an article on Microsoft’s anti-competitive behaviour on the European office software market. Read for a recap of the article and the key takeaways.
Read More
MagentaCLOUD’s migration to Nextcloud in 2021 resulted in a fully equipped Online Storage with an integrated online office suite that further improves the user experience, flexibility and security for customers.
Read More
We bring you a major update to the Nextcloud AI Assistant, plus the news we work with several big hosting providers like IONOS and OVHcloud to bring AI-as-a-Service options to you!
Read More
Bechtle and Nextcloud announce today a complete managed collaboration platform for the public sector that requires no tender and can be deployed immediately.
Read More
Discover how to make the switch from ownCloud to Nextcloud. Our quick guide provides insights into the migration process, helping you make the transition smoothly.
Read More
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
Read More
Nextcloud founder and CEO Frank Karlitschek earns the honorary SFS Award at the 20th annual SFSCON taking place in South Tyrol, Italy.
Read More
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Read More
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
Read More
On December 3rd, we invite you to the Nextcloud Enterprise Day Paris, Nextcloud's flagship event for professionals. The day will kick off with a keynote by our CEO and founder, Frank Karlitschek—a highlight where he will share our vision for the future of online collaboration, followed by a major announcement about Nextcloud Talk!
Read More
Maintenance updates 28.0.12, 29.0.9 and 30.0.2 for Nextcloud Hub 7, 8 and 9 respectively are here! Read an update summary and access full changelog on the website.
Read More
