Two-factor authentication adds an additional layer of security to user accounts. In order to log in on an account with two-factor authentication (2FA) enabled, it is necessary to provide both the login password and another factor. 2FA in Nextcloud is pluggable, meaning that they are not part of the Nextcloud Server component but provided by featured and 3rd-party Nextcloud apps.
Several 2FA apps are already available including TOTP, a Telegram/Signal/SMS gateway and U2F.
Developers can build new two-factor provider apps.
Enabling two-factor authentication
You can enable 2FA by installing and enabling a 2FA app like TOTP which works with Google Authenticator and compatible apps. The apps are available in the Nextcloud App store so by navigating there and clicking enable for the app you want, 2FA will be installed and enabled on your Nextcloud server.
Once 2FA has been enabled, users have to activate it in their personal settings.
Enforcing two-factor authentication
By default 2FA is optional, hence users are given the choice whether to enable it for their account. Admins may enforce the use of 2FA.
Enforcement is possible system-wide (all users), for selected groups only and can also be excluded for certain groups.
These settings can be found in the administrator’s security settings.
When groups are selected/excluded, they use the following logic to determine if a user has 2FA enforced:
If no groups are selected, 2FA is enabled for everyone except members of the excluded groups
If groups are selected, 2FA is enabled for all members of these. If a user is both in a selected and excluded group, the selected takes precedence and 2FA is enforced.