How to Use Two-Factor Authentication With the ownCloud Desktop Client or Mobile Apps
With recent news of data breaches and cracked accounts, we’re glad about ownCloud’s focus on security. How you can benefit from it? Combine OAuth2 with Two-Factor Authentication to protect your account from hackers!
“The most recent data breach?”, you may ask, “what was it – oh, this article is from 2019, lol.”
But let’s be honest, even if you read this article in 2021, there will always be a most recent data breach. The struggle for more secure IT infrastructure is an uphill battle, and it is hard to stay up-to-date.
Our readers’ feedback to my recent article about password managers showed that there is a lot of interest in security. So this blogpost aims to help you leverage ownCloud’s security features. One of those is Two-Factor Authentication.
Two-Factor Authentication: What’s it About?
A second factor is very useful to protect your account against password theft. If your password gets cracked or found because you reused it in a powned service, a second authentication factor will protect you against hackers.
With Two-Factor Authentication, you have a second factor that proves that you are you. It could be a hardware token or an app on your phone – this proves that you not only can memorize the password (the first factor), but also have your mobile phone with you (the second factor).
In practice: first you open your browser and login with your username and password. Then you get asked for your second factor, e.g. a TOTP app. You open the app on your phone, and a time-based one-time password (TOTP) shows. Finally, you enter it – and you’re logged in.
If an attacker wants to hack your account, they would have to do the same. So stealing your password isn’t enough anymore – they also need to steal your phone. This is way harder, and your account is more secure.
Setup Two-Factor Authentication for ownCloud – Step by Step
How to enable Two-Factor Authentication? You don’t need special tech skills. You need ownCloud admin privileges – but you can also just ask your admin to install the necessary ownCloud Server Apps. Okay, let’s get started:
Setup OAuth2 on the Server
You don’t need OAuth2 to use Two-Factor Authentication in your browser – but if you want to use the Android app, the iOS app, or the Desktop client, you will need to install OAuth2 on the ownCloud Server.
If you don’t have admin privileges, contact your admin to do it. Show them this blogpost – it’s only one click in the Market app. You need this app to get OAuth2 working for all users.
OAuth2 has even more useful security features – it provides tokens for each single device. Your client doesn’t need to know your password. And if your device gets stolen, you can disable the OAuth2 token in the web interface. This way, your data stays safe.
You can read this blogpost to learn about all its advantages and how it works in detail. Note that after the installation, all clients of all users will sooner or later have to reauthenticate.
Setup Your Second Authentication Factor
There are three Server apps for Multi-Factor Authentication in ownCloud: OpenOTP, PrivacyIDEA, and TOTP. They all offer different advantages. For simplicity, we will look at the TOTP app in this article.
First, install the TOTP app to the server, or ask your admin to do it. It’s another one-click installation that doesn’t require further configuration by the admin – but each user has to set it up for themselves.
To enable it for your account, you need a second factor. With the Open Source app FreeOTP you can use your Android or iOS phone. Install FreeOTP via GooglePlay, F-Droid, or the Apple Appstore.
Now login to your ownCloud account in the browser. For the next steps, be careful that you don’t log out again before you’re sure that it works. You don’t want to get locked out of your account accidentally, right?
(if you got locked out of 2FA even though we warned you, these instructions might help you.)
To get started, go to Personal Security Settings. Click on the “Activate TOTP” checkbox – a QR code appears.
Scan the QR Code with the FreeOTP app. Then you can generate an authentication code with FreeOTP and enter it into the web interface. When you click “Verify”, you enable Two-Factor Authentication for your account.
Login to Your Account With the Android App
Now we can try out whether it works. Open the ownCloud Android app. Add a new account, and enter the server URL:
Now a small browser opens. It shows the login page of the web interface, where you can enter you username and password:
After that, you are asked for a TOTP token: generate a one-time password with FreeOTP and enter it into the form. It should consist of six numbers.
Then click on authorize – an OAuth2 token is generated for your app. Your phone will be logged in permanently – or at least until you revoke the OAuth2 token.
Try it out!
Let me know if this guide works out for you, and give the other Two-Factor Authentication options a try.
Especially PrivacyIDEA is really versatile and useful for large organizations, it even offers Multi-Factor Authentication with more than two factors. I just didn’t use it in the example because it requires an extra server.
What do you think about these security features? Leave a comment below or share this post on social media!