Blog

How to Use Two-Factor Authentication With the ownCloud Desktop Client or Mobile Apps

With recent news of data breaches and cracked accounts, we’re glad about ownCloud’s focus on security. How you can benefit from it? Combine OAuth2 with Two-Factor Authentication to protect your account from hackers!
How to Use Two-Factor Authentication With the ownCloud Desktop Client or Mobile Apps

How to Use Two-Factor Authentication With the ownCloud Desktop Client or Mobile Apps

With recent news of data breaches and cracked accounts, we’re glad about ownCloud’s focus on security. How you can benefit from it? Combine OAuth2 with Two-Factor Authentication to protect your account from hackers!

“The most recent data breach?”, you may ask, “what was it – oh, this article is from 2019, lol.”

But let’s be honest, even if you read this article in 2021, there will always be a most recent data breach. The struggle for more secure IT infrastructure is an uphill battle, and it is hard to stay up-to-date.

Our readers’ feedback to my recent article about password managers showed that there is a lot of interest in security. So this blogpost aims to help you leverage ownCloud’s security features. One of those is Two-Factor Authentication.

 

Two-Factor Authentication: What’s it About?

A second factor is very useful to protect your account against password theft. If your password gets cracked or found because you reused it in a powned service, a second authentication factor will protect you against hackers.

With Two-Factor Authentication, you have a second factor that proves that you are you. It could be a hardware token or an app on your phone – this proves that you not only can memorize the password (the first factor), but also have your mobile phone with you (the second factor).

 

ownCloud two-factor authentication other tokens

There are many possible tokens for Two-Factor Authentication. You can even use your phone as second factor.

 

In practice: first you open your browser and login with your username and password. Then you get asked for your second factor, e.g. a TOTP app. You open the app on your phone, and a time-based one-time password (TOTP) shows. Finally, you enter it – and you’re logged in.

If an attacker wants to hack your account, they would have to do the same. So stealing your password isn’t enough anymore – they also need to steal your phone. This is way harder, and your account is more secure.

 

Setup Two-Factor Authentication for ownCloud – Step by Step

How to enable Two-Factor Authentication? You don’t need special tech skills. You need ownCloud admin privileges – but you can also just ask your admin to install the necessary ownCloud Server Apps. Okay, let’s get started:

 

Setup OAuth2 on the Server

You don’t need OAuth2 to use Two-Factor Authentication in your browser – but if you want to use the Android app, the iOS app, or the Desktop client, you will need to install OAuth2 on the ownCloud Server.

If you don’t have admin privileges, contact your admin to do it. Show them this blogpost – it’s only one click in the Market app. You need this app to get OAuth2 working for all users.

 

ownCloud two factor authentication install oauth2

You can install the OAuth2 app to ownCloud in the Market app.

 

OAuth2 has even more useful security features – it provides tokens for each single device. Your client doesn’t need to know your password. And if your device gets stolen, you can disable the OAuth2 token in the web interface. This way, your data stays safe.

You can read this blogpost to learn about all its advantages and how it works in detail. Note that after the installation, all clients of all users will sooner or later have to reauthenticate.

 

With OAuth2, an app is authorized by token exchanges in the background.

 

Setup Your Second Authentication Factor

There are three Server apps for Multi-Factor Authentication in ownCloud: OpenOTPPrivacyIDEA, and TOTP. They all offer different advantages. For simplicity, we will look at the TOTP app in this article.

First, install the TOTP app to the server, or ask your admin to do it. It’s another one-click installation that doesn’t require further configuration by the admin – but each user has to set it up for themselves.

 

ownCloud two factor authentication install totp app

You can install the Two-Factor Authentication app to ownCloud in the Market app.

 

To enable it for your account, you need a second factor. With the Open Source app FreeOTP you can use your Android or iOS phone. Install FreeOTP via GooglePlayF-Droid, or the Apple Appstore.

Now login to your ownCloud account in the browser. For the next steps, be careful that you don’t log out again before you’re sure that it works. You don’t want to get locked out of your account accidentally, right?

(if you got locked out of 2FA even though we warned you, these instructions might help you.)

To get started, go to Personal Security Settings. Click on the “Activate TOTP” checkbox – a QR code appears.

 

ownCloud two-factor authentication scan qr code

Scan the QR code with FreeOTP to enable your phone as second factor.

 

Scan the QR Code with the FreeOTP app. Then you can generate an authentication code with FreeOTP and enter it into the web interface. When you click “Verify”, you enable Two-Factor Authentication for your account.

 

ownCloud two factor authentication qr code verified

Generate a one-time password with FreeOTP and verify it in the web interface.

 

Login to Your Account With the Android App

Now we can try out whether it works. Open the ownCloud Android app. Add a new account, and enter the server URL:

 

ownCloud two-factor authentication add account enter server url

Add a new account and enter the server URL.

 

Now a small browser opens. It shows the login page of the web interface, where you can enter you username and password:

 

ownCloud two-factor authentication login username password

Login with username and password, as you are used to. The second factor comes afterwards.

 

After that, you are asked for a TOTP token: generate a one-time password with FreeOTP and enter it into the form. It should consist of six numbers.

 

ownCloud two-factor authentication generate one-time password

Now you can generate a one-time password with the FreeOTP app and enter it into the web interface.

 

Then click on authorize – an OAuth2 token is generated for your app. Your phone will be logged in permanently – or at least until you revoke the OAuth2 token.

 

ownCloud two-factor authentication authorize app oauth2

Click on “Authorize” to grant access to your app.

 

Try it out!

Let me know if this guide works out for you, and give the other Two-Factor Authentication options a try.

Especially PrivacyIDEA is really versatile and useful for large organizations, it even offers Multi-Factor Authentication with more than two factors. I just didn’t use it in the example because it requires an extra server.

What do you think about these security features? Leave a comment below or share this post on social media!

ownCloud

March 21, 2019

Read now:

Understanding Web Applications in oCIS

Understanding Web Applications in oCIS

In today’s fast-paced digital world, web applications play a crucial role in enhancing user experience and functionality. Infinite Scale comes with a world-class web interface to manage file resources, but it can be extended by utilizing ownCloud Infinite Scale (oCIS) as a construction set for custom web apps.

read more
Full digital sovereignty has 3 levels

Full digital sovereignty has 3 levels

Digital sovereignty is becoming increasingly important for public authorities and companies – and they already have the option of using fully sovereign software stacks. Content collaboration specialist ownCloud explains what sets them apart.

read more