Security in Nextcloud: how to block 99.9% of user account attacks

This is how it works, as described in the user manual:
So when enabling 2FA you need to use device or application specific tokens.
Some applications also support single sign on, then a specific token is not needed, as I understand.
You can use DAVx5 without issue with 2FA enabled, with it’s own app token.

Using 2FA implies having backup codes, so yes they can be used for that. And as fallback, the administrator of the nextcloud instance can always manage 2FA state for a user, to help out.

There’s also an 2FA Admin Support app:


Ok, sounds good!

@mjanssens thank you for linking the manual! I’ll have to take look at it.

Apart from anything else don’t use an email address as a login ID. Use of an email address as ID is the starting point for using leaked passwords. If has password Myname_1sfred leaked from one site then that’s a pair to start guessing with on any other site that uses email address a ID on the basis that Fred only has one email address and uses it everywhere. If he is fredbloggs on one site, user385 on another and fb_001 on a third then knowing his password was Myname_1sfred on the first site is no help in trying to break into the others, even if he used the same password.

1 Like

Unfortunately this is not mentioned in the article. Since many small and large companies also use Nextcloud, your argument is not valid. As a recommendation you should either clarify this or write the title less sensational. Wouldn’t be the first time when marketing and hip bloggers ruin an usually good product and brand with their bloomy promises. You are advertising a single item (2FA) as 99,9 % solution against attacks. That’s quite untrue and not representing the real life. Why do you do this?


2FA might stop 99.9% of attacks on Hotmail accounts, but I don’t think the same can be said for a self-hosted software stack like Nextcloud. There are several other vectors of attack beyond password guessing, so I think that would be giving a false sense of security.

1 Like

Yes, it is a pretty sensational title :wink:

But I got your attention, didn’t I? And that is literally my job :wink:

I didn’t even cheat by putting sex in the title (which according to research works even better). Hey, a title needs to make people want to read the article.

The accuracy of it - well, depends on context - you can also quite easily claim that using port 23 for ssh blocks 99.9999% of all attacks on SSH - technically correct but not all breaches are, of course, caused by that same type of attack. So it’s both true and not, I suppose.

Anyhow. Let me update the title a bit and call it ‘user account attacks’. That’s probably a lot more accurate, and doesn’t discount that there are 10.000 other types of attacks on servers. And it is still clickbaity enough to upset a few pedantic people :smiley:

But please understand - there are two things that make a project like Nextcloud successful. Doing interesting things is one. And the other is talking about it. If you don’t do one of those, you’ll just end up another irrelevant product and that is not what we want so yeah, we talk about it. And use most tricks in the book. Not all, we don’t pay google and facebook for ads, for example, but we do try to write, ehm, good (maybe clickbaity) titles to get attention for example. And we develop some features almost purely for PR reasons.

I totally get that some of you don’t like that, really. I don’t like sensational news or people who intentionally post outrageous stuff on twitter to get more followers. But the sad reality of the world is that it works and thus we can’t afford to not play the game if we want to be relevant. And I want MORE for Nextcloud to be relevant than that I want to be super realistic and be liked by everyone in tech all the time, sorry.

As another outrageous example I’m happy to discuss with tech people is how NextCLOUD is totally wrongly named and isn’t a cloud at all because a cloud is (blablabla). I’m happy to agree, it is 100% correct: Nextcloud is not SaaS, PaaS or IaaS. It is not a cloud in terms of AWS and OpenStack. But we still won’t rename it. And we don’t apologize for this name because IT WORKS, laypeople understand the name even if it irritates a few pedantic nerds. Sorry, not sorry. See, you can be right AND wrong at the same time :roll_eyes:


1 Like

It is a re-wording of 20-month old articles about Google introducing hardware keys for their employees, like this for example
The attacks aren’t blocked but their success rate is…

I have created a comment with a smiley face. Please relax.

It is Friday and the sun is shining here. Have a nice weekend with or without 2FA :slight_smile:


“Pedantic nerds”, is it now? When in doubt, go on the offensive and try to shame the users for calling BS. Superb.

And here we go again and start to discuss off-topic related to topic title.

Please stay on-topic and be nice to each other.

1 Like

It was on topic. It seemed to me not a great idea to give “laypeople” the impression that their Nextcloud would be safe from 99.9% of attacks by implementing 2FA. Then we got a rather less than positive response…

There is no such thing as bad publicity…

Ha, good catch, I wrote it quite a while ago, don’t even remember when - I wanted to urge people to use 2FA and explain the options, I had written that part. But then I was kicked by, I think, this or a similar article which made for a good headline that encourages people to protect their server with 2FA. And then it was in a drafts folder for a long time…

And for everyone complaining about the article - feel free to contribute nice, positive blogs to our website. I’d be totally happy to take guest posts about useful things that help our users keep their data safe or similar. If you’d rather just be negative may I suggest to go on twitter and join the millions of others there doing that all day long?

There’s a US president who does outrageous things to complain about EVERY DAY.

1 Like

I think @jospoortvliet needs vacation …
The world is going crazy, every word written is now a dynamite for the community…


Indeed. I don’t think anyone was being harsh or negative, or had any idea who wrote the blog post. It just seemed like a bit of a silly claim, that could give a false sense of security to casual users, and could easily be corrected. Ideally without the pejoratives.

Wow, that escalated quickly…

I would consider myself a beginner (“layperson”) in nextcloud, especially when it comes to security. But while reading the post I never had the impression, that 2FA is the holy grail of security. Some of the statements that are used in there are pointing out that 2FA is good starting point to get at least a reasonable defense at the most common attack vector.
At the end of the day, everyone who uses nextcloud (or any other software) is responsible for his own security, which leads to the necessity to deal with the subject and educate him-/herself.


This is a statement I could agree with

As somebody “from the front” often argueing with stakeholders weather to use Nextcloud or not, such sensational articles cause a lot of harm. In the end they are picked and used as arguments against Nextcloud, how it considers Security.

You should better adjust your marketing. If your indicators for success are hits and pageviews, than this is the beginning of a race to the bottom.

Update: I see you’ve modified the title to “user account attacks” that’s more clear! Thank you!


Some of my clients refuse to use 2FA while they have sensible datas on a macbookpro without session password … :upside_down_face: because it’s so annoying for them to open the TOFP app and type a 6 Digits code…
So i made them sign a paper that it’s not my responsability if datas are stolen from their machines…

You have a lot of choice to harden the security of your account, but i don’t like Notifications, nor email, nor sms… i prefere 2FA and keys.

1 Like

While 2FA can be considered annoying it is probably one of the best defenses against getting hacked. As leaking data happens often due weak credentials.

@Nemskiller do any of your clients use keys? Found the support in windows so far lacking and rather frustating to use. Got to admit, tested it half a year ago.

There is a huge difference in the way articles about MFA (2FA, OTP) are read by “business” and “home” users…

At work it is relatively easy to do and lately much much cheaper than it used to be…
In home user-land convenience is all that matters! Case in point: MP3 vs. other audio formats.
The only ways to implement it is to force it (i.e. online banking) or to hack and scare a user sh!tless for NOT using it…

We use MFA for longer than Nextcloud, since the times RSA SecurID was the only game in town.
It is anything but convenient. Today even offering people free U2F Yubikeys can’t convince them to use it at home…

Should people use it to protect their accounts? Definitely.
Will they do that? 99.9% won’t (until a disaster strikes)…