Easily setup Signal 2FA on Nextcloud 14

Two-factor authentication (short 2FA) is an important security concept to secure unauthorized access to your web applications. Popular online services like Google Mail, Instagram or Facebook already provide this mechanism to secure user accounts with an additional one-time token. Considering someone is able to obtain your username and password combination, for example on a public internet terminal in the library or the airport, he or she won’t be able to gain access on a second device without knowing the additional security token (the second factor). This token will be send to you on a different channel or device.

Starting with version 14 of Nextcloud, there’s now also a new app called two-factor gateway which can send these additional tokens to Signal Messenger, Threema, E-Mail etc. Setting up this infrastructure is a bit more complex since your server must be able to support one of these gateways. In this post I’ll describe how to setup the Signal 2FA gateway on an Archlinux machine.

Signal 2FA setup

To get started, it is recommended to get a new, temporary “disposible mobile phone number” for the registration process. I ordered a batch of phone numbers on the site getsmscode.com (which is a bit shady …) and was able to register and verify this new number on the Signal servers. First, install the Nextcloud app and the gateway daemon:

pacaur -S nextcloud-app-twofactor-gateway signal-web-gateway

Put your phone number into the configuration file at /etc/webapps/signal-web-gateway/config.yml:

tel: "+1774****"

Configure the gateway and verify the phone number (you’ll receive the verification SMS on the merchant website):

cd /usr/share/webapps/nextcloud
sudo -u http ./occ twofactorauth:gateway:configure signal # leave default options (press return)
cd /var/lib/signal-web-gateway
sudo -u signal signal-web-gateway # enter verification
systemctl enable --now signal-web-gateway

Enable the twofactor gateway app in Nextcloud and configure it on your user settings page in the security part (see the following picture).

Next time you login into Nextcloud you’ll be asked for the token after entering username and password.

Your Signal gateway needs to approve your new device key in case you reinstall Signal on your phone. Otherwise the recipient is untrusted and you wont receive 2FA messages anymore. A quick workaround is to remove the old identity file and restart the gateway service:

rm /var/lib/signal-web-gateway/.storage/identity/remote_1234
systemctl restart signal-web-gateway

The filename “remote_1234” has to be changed, matching your recipient phone number.

Device and client specific passwords

Other clients which access your Nextcloud instance might need to be reconfigured after enabling two-factor authentication. For instance, I use the Android app DavDroid for syncing my contacts and calendar entries and it won’t be able to login with 2FA enabled. In such cases, you’ll need to generate an app specific password, as shown in the picture above, which will be used only by this app and won’t require 2FA.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

* Checkbox GDPR is required


I agree

Officepad – Etherpad alternative based on Onlyoffice

During the Chaos Communication Camp 2019 I was working on a project called Officepad. The aim was to build a web interface comparable to Etherpad. Etherpad is a well established tool for online text collaboration used by software developers, activists and so on. Etherpad is relatively stable and works well …

Bye bye Play Store! Mirroring Play Store Apks to private F-Droid repo

This small tutorial will show you how to setup your own F-Droid repository containing automatically mirrored Play Store apps. Using this private repo, you don’t have to relay on Google Play Store or third party stores anymore to keep non-free apps up-to-date. All you need to have is a Linux …

Ebook reader app for Nextcloud

Because of lack of altenatives I decided to write a small ebook reader plugin for Nextcloud. The task of creating such an app was quite easy: I just forked the files_pdfviewer extension and replaced PDF.js with the Epub.js library. In the app template file, I used the reference ebook reader …