Two-factor authentication (short 2FA) is an important security concept to secure unauthorized access to your web applications. Popular online services like Google Mail, Instagram or Facebook already provide this mechanism to secure user accounts with an additional one-time token. Considering someone is able to obtain your username and password combination, for example on a public internet terminal in the library or the airport, he or she won’t be able to gain access on a second device without knowing the additional security token (the second factor). This token will be send to you on a different channel or device.
Starting with version 14 of Nextcloud, there’s now also a new app called two-factor gateway which can send these additional tokens to Signal Messenger, Threema, E-Mail etc. Setting up this infrastructure is a bit more complex since your server must be able to support one of these gateways. In this post I’ll describe how to setup the Signal 2FA gateway on an Archlinux machine.
Signal 2FA setup
To get started, it is recommended to get a new, temporary “disposible mobile phone number” for the registration process. I ordered a batch of phone numbers on the site getsmscode.com (which is a bit shady …) and was able to register and verify this new number on the Signal servers. First, install the Nextcloud app and the gateway daemon:
pacaur -S nextcloud-app-twofactor-gateway signal-web-gateway
Put your phone number into the configuration file at /etc/webapps/signal-web-gateway/config.yml:
[...] tel: "+1774****" [...]
Configure the gateway and verify the phone number (you’ll receive the verification SMS on the merchant website):
cd /usr/share/webapps/nextcloud sudo -u http ./occ twofactorauth:gateway:configure signal # leave default options (press return) cd /var/lib/signal-web-gateway sudo -u signal signal-web-gateway # enter verification systemctl enable --now signal-web-gateway
Enable the twofactor gateway app in Nextcloud and configure it on your user settings page in the security part (see the following picture).
Next time you login into Nextcloud you’ll be asked for the token after entering username and password.
Your Signal gateway needs to approve your new device key in case you reinstall Signal on your phone. Otherwise the recipient is untrusted and you wont receive 2FA messages anymore. A quick workaround is to remove the old identity file and restart the gateway service:
rm /var/lib/signal-web-gateway/.storage/identity/remote_1234 systemctl restart signal-web-gateway
The filename “remote_1234” has to be changed, matching your recipient phone number.
Device and client specific passwords
Other clients which access your Nextcloud instance might need to be reconfigured after enabling two-factor authentication. For instance, I use the Android app DavDroid for syncing my contacts and calendar entries and it won’t be able to login with 2FA enabled. In such cases, you’ll need to generate an app specific password, as shown in the picture above, which will be used only by this app and won’t require 2FA.