Is it possible to enable 2FA in the Android app? I have TOTP enabled for the web interface and it works well with my LastPass Authenticator 2FA app. ButI don’t see how to enable 2FA in the NextCloud Android app.
Thanks my for any insight.
2fa is enabled on the server side, which is client application will comply with.
https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/two_factor-auth.html
Thanks, misc. But I have 2FA enabled on the server, and I am prompted for the OTP when I log onto the website. However, I am not prompted for an OTP when I use the Android app (3.29.2). Specifically, I establish an SSH tunnel between my Android and my Nextcloud server. Then, I can open the Nextcloud app and access my files, but am not prompted for an OTP.
2FA is not available for Nextcloud clients such as Android. At most, there are app passwords that could be used. 2FA would be quite impractical, as the Nextcloud clients are designed for permanent synchronisation. 2FA is more of a nuisance.
However, Nextcloud clients such as for Android use tokens. As soon as you have logged in once, time-limited tokens are used, which are probably updated again and again.
An improvement would perhaps be if the initial setup of a Nextcloud client, e.g. for Android, could or had to be carried out via 2FA. But I don’t know whether this is possible.
1 Like
Just a little clarification on what 2FA is (and what it is not):
First of all, the Nextcloud mobile app does of course support 2FA.
However, 2FA is a second factor in the authentication/login process and therefore an inseparable part of that process, not a standalone feature that can be used to “lock” apps once you are already logged in.
So, like any other mobile app, a 2FA protected service will only ask you for the TOTP code once when you first log in to your account, unless the app completely logs you out every time you close it (I don’t know of any apps that do this), or you manually log out every time, which imho would be completely impractical for mainly two reasons:
-
Background processes such as automatic uploads would not work while you’re logged out.
-
You would have to go through the whole authenticaion process again (not just the 2FA code) everytime you start the app.
However, you can protect the app with a PIN or biometric that you have to enter every time you start the app.
1 Like
To specify this more precisely: You not only have to log out completely, but also delete the tokens you have already used. This only happens when the Nextcloud app is reinstalled and not, for example, after rebooting the smartphone.
1 Like
Yeah right, this is a design flaw or bug that most users will never notice because most users never log out of their mobile apps and very few apps are designed to do this on a daily basis, I mean like no mobile app I use is designed to do log-out on a daily basis. However, I agree that it should be possible without having to re-install the app. 
Nevertheless, the way I see it, you either trust your smartphone and the OS with the things you need on a daily basis, or you could use a hardened Android ROM like GrapheneOS, or a Linux phone where you have more control (but is probably less secure by default than Android or iOS), or if you have no trust at all, you probably shouldn’t use one and buy a dumb phone.
But I don’t see that Nextcloud would need to change anything regarding this in their app (apart from the bug that requires you to completely reinstall the app to properly log out), as it works more or less like all mobile apps. You stay logged in and have the option to protect the app with a PIN or biometrics.
2 Likes
Thank-you for the clarification regarding Nextcloud not logging out short of a re-install. That does explain why 2FA would not work.
2 Likes
Hm, I wonder why banking apps demand e.g. your fingerprint when opening them, if the phone is already trusted? Especially for E2EE it would make sense to ask for a second factor on opening the app, which is different to “on login”.
That’s not the same thing as re-requesting a TOTP code. A TOTP code is tied to the log-in process. But you can have “a second factor” with the Nextcloud app as well (at least on Android), it’s just not forced on users or enabled by default.
To enable it, go to “Settings” → “App-PIN”, and choose either “PIN” or “device login data” (Things may be named differntly in the English version, because I translated the terms from the German version)
- PIN: Schould be obvious what this is
- Device credentials: Uses your device’s unlock mechanism. If that’s just a PIN, it asks for the PIN; if you have biometrics set up, it asks for that.
That’s true.
A PIN is not the same thing as an OTP code. The two factors in “2FA” are typically “Something you know and something you have.” The “Something you know” is your password. The “Something you have” is a trusted device that will generate the unique, correct, time-sensitive OTP code. PINs are not time sensitive. Using a password and a PIN is not 2FA, as they are both simply “something you know.”
sven1234’s banking example is fair. There is no technical reason why an OTP needs to be tied to a login. An app could have the option to trigger an OTP query upon any number of factors, such as opening a window after an user inactivity timeout. The password manager on my phone works like this.
Well, I’m not a developer, but as I understand it, it’s definitely tied to the authentication process or login flow, and it gets triggered after a successful login happend. So I’m pretty sure it’s not possible to just re-trigger 2FA without involving the authentication backend/login flow.
However, and I hadn’t thought of this, it might actually be possible to do this without making the user go through the entire login flow again if certain conditions are met.
In any case, and even if my assumptions were completely wrong, if you or others in this thread are interested in such a feature, it’s probably best to open a feature request on GitHub and discuss it directly with the developers, as they should know best how it works, how it’s implemented, and what’s possible and what’s not 
Indeed, the developers will have a much better understanding than I as to what effort would be involved in implementing something like this. I have not explored the source code for Nextcloud or TOTP, so I have no idea what effort would be involved. More importantly, I have no idea what the demand would be for it, so first out of the gate would be a cost/benefit analysis. Having been a software developer, one thing i am certain about is that virtually anything is possible.
Thanks for the responses; much appreciated.