Easily setup Signal 2FA on Nextcloud 14

Two-factor authentication (short 2FA) is an important security concept to secure unauthorized access to your web applications. Popular online services like Google Mail, Instagram or Facebook already provide this mechanism to secure user accounts with an additional one-time token. Considering someone is able to obtain your username and password combination, for example on a public internet terminal in the library or the airport, he or she won’t be able to gain access on a second device without knowing the additional security token (the second factor). This token will be send to you on a different channel or device.

Starting with version 14 of Nextcloud, there’s now also a new app called two-factor gateway which can send these additional tokens to Signal Messenger, Threema, E-Mail etc. Setting up this infrastructure is a bit more complex since your server must be able to support one of these gateways. In this post I’ll describe how to setup the Signal 2FA gateway on an Archlinux machine.

Signal 2FA setup

To get started, it is recommended to get a new, temporary “disposible mobile phone number” for the registration process. I ordered a batch of phone numbers on the site getsmscode.com (which is a bit shady …) and was able to register and verify this new number on the Signal servers. First, install the Nextcloud app and the gateway daemon:

pacaur -S nextcloud-app-twofactor-gateway signal-web-gateway

Put your phone number into the configuration file at /etc/webapps/signal-web-gateway/config.yml:

[...]
tel: "+1774****"
[...]

Configure the gateway and verify the phone number (you’ll receive the verification SMS on the merchant website):

cd /usr/share/webapps/nextcloud
sudo -u http ./occ twofactorauth:gateway:configure signal # leave default options (press return)
cd /var/lib/signal-web-gateway
sudo -u signal signal-web-gateway # enter verification
systemctl enable --now signal-web-gateway

Enable the twofactor gateway app in Nextcloud and configure it on your user settings page in the security part (see the following picture).

Next time you login into Nextcloud you’ll be asked for the token after entering username and password.

Your Signal gateway needs to approve your new device key in case you reinstall Signal on your phone. Otherwise the recipient is untrusted and you wont receive 2FA messages anymore. A quick workaround is to remove the old identity file and restart the gateway service:

rm /var/lib/signal-web-gateway/.storage/identity/remote_1234
systemctl restart signal-web-gateway

The filename “remote_1234” has to be changed, matching your recipient phone number.

Device and client specific passwords

Other clients which access your Nextcloud instance might need to be reconfigured after enabling two-factor authentication. For instance, I use the Android app DavDroid for syncing my contacts and calendar entries and it won’t be able to login with 2FA enabled. In such cases, you’ll need to generate an app specific password, as shown in the picture above, which will be used only by this app and won’t require 2FA.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

* Checkbox GDPR is required

*

I agree

Software
Jellyfin media server on Archlinux ARM

In this post, I want to share some insights on building Jellyfin media server for Archlinux ARM. The PKGBUILD for Jellyfin one can find on the AUR, is specifically made for 64 bit architectures. Nevertheless Microsoft released the dotnet runtime, which Jellyfin relies on instead of Mono, also for Linux …

Software
2
Voice control Archlinux with Amazon Alexa

I was interested to see how commercial voice recognition software would behave on an usual Linux laptop and tried to deploy an Amazon Alexa instance. There are some installation scripts and tutorials available for Ubuntu and Raspberry PI using the avs-device-sdk from Github. Even though some of them are official …

Software
3
Auto update Archlinux and user repository

In this post I’m going to describe on how to setup automatic package upgrades / system updates. In the first part, a systemd service script and timer triggers the package manager pacman to automatically sync the repositories and upgrade the packages every hour: The last command enables (on boot) and …