How to enable 2FA on a per-user basis in Nextcloud

If you want to enable two-factor authentication for Nextcloud on a per-user basis, it's just a simple app installation away.

How to enable 2FA on a per-user basis in Nextcloud

If you've deployed Nextcloud as your on-premises cloud server, you've probably already taken some steps to secure the platform. If that's the case, you might be looking to enable two-factor authentication (2FA). Although it's a good idea to enforce such a policy, what happens when the server is only accessible from within your LAN and you have some accounts who should use 2FA and some who shouldn't?

Fortunately, with the latest releases of Nextcloud--and a handy app--it's possible to make it such that your users can decide if 2FA is necessary for their account.

I can already hear your guffaws. You're thinking, "It's my choice, as the admin, whether or not 2FA is used." But what about that CEO? Or anyone above you, for that matter? You might find yourself in a situation where there are particular users (with the power to do so) who insist they do not have to take the extra step for logging in.

Of course, this might be a different case if the server was accessible from the WAN. At that point, you'd insist 2FA is enabled for all accounts. But a LAN-only server? A per-user enabling could be feasible. 

And that's exactly what I'm going to show you. Once you have this setup taken care of, it'll be up to your users whether or not they want to take advantage of this added layer of security.

SEE: Hybrid cloud: A guide for IT pros (TechRepublic download)

What you'll need

  • A running instance of Nextcloud (version 16+)

  • A Nextcloud account that has admin privileges

How to install the 2FA plugin

The first thing you must do is enable two-factor authentication for your Nextcloud server. To do this, log in as the admin user, click your profile icon (in the upper-right corner) and click Apps. In the resulting search field, type TOTP (Figure A).

Figure A


Locating the correct 2FA app.

When the app appears, click Enable (Figure B).

Figure B


Enabling the TOTP app.

Once you've enabled the app, 2FA is ready. You now have two choices:

  1. Enforce system-wide usage of 2FA.
  2. Allow users to choose whether or not to enable 2FA.

If you opt to enable it system-wide, click your profile icon again and click Settings. Under Administration, click Security. In the resulting window, click the check box for Enforce Two-Factor Authentication (Figure C).

Figure C


Enabling system-wide 2FA.

If you opt to go the individual route, there's nothing more for you to do.

How to enable 2FA on a per-user basis

For each user to enable 2FA for their Nextcloud account, they must do this:

  1. Log in to Nextcloud.
  2. Click on their user profile icon.
  3. Click Settings.
  4. Click Security under Personal in the left sidebar.
  5. Click the check box for Enable TOTP.
  6. Scan the presented QR Code with a mobile authentication app, such as Authy (Figure D) .
  7. Type the authentication code given by the app and click Verify.

Figure D


Enabling 2FA for an account.

And that's it. The next time the user logs in to their Nextcloud account, they'll be required to enter the 2FA code from their mobile app.

Congratulations, you've just made it possible for your Nextcloud users to decide if they want to add two-factor authentication to their Nextcloud account. Just remember, it is in your power to enforce the policy system-wide, so if you don't trust your users to do so, take the necessary precautions to lock down every account with the added layer of protection.

Also see


Image: Jack Wallen