This is how it works, as described in the user manual: https://docs.nextcloud.com/server/18/user_manual/user_2fa.html
So when enabling 2FA you need to use device or application specific tokens.
Some applications also support single sign on, then a specific token is not needed, as I understand.
You can use DAVx5 without issue with 2FA enabled, with itās own app token.
Using 2FA implies having backup codes, so yes they can be used for that. And as fallback, the administrator of the nextcloud instance can always manage 2FA state for a user, to help out.
Apart from anything else donāt use an email address as a login ID. Use of an email address as ID is the starting point for using leaked passwords. If fred@example.com has password Myname_1sfred leaked from one site then thatās a pair to start guessing with on any other site that uses email address a ID on the basis that Fred only has one email address and uses it everywhere. If he is fredbloggs on one site, user385 on another and fb_001 on a third then knowing his password was Myname_1sfred on the first site is no help in trying to break into the others, even if he used the same password.
Unfortunately this is not mentioned in the article. Since many small and large companies also use Nextcloud, your argument is not valid. As a recommendation you should either clarify this or write the title less sensational. Wouldnāt be the first time when marketing and hip bloggers ruin an usually good product and brand with their bloomy promises. You are advertising a single item (2FA) as 99,9 % solution against attacks. Thatās quite untrue and not representing the real life. Why do you do this?
2FA might stop 99.9% of attacks on Hotmail accounts, but I donāt think the same can be said for a self-hosted software stack like Nextcloud. There are several other vectors of attack beyond password guessing, so I think that would be giving a false sense of security.
But I got your attention, didnāt I? And that is literally my job
I didnāt even cheat by putting sex in the title (which according to research works even better). Hey, a title needs to make people want to read the article.
The accuracy of it - well, depends on context - you can also quite easily claim that using port 23 for ssh blocks 99.9999% of all attacks on SSH - technically correct but not all breaches are, of course, caused by that same type of attack. So itās both true and not, I suppose.
Anyhow. Let me update the title a bit and call it āuser account attacksā. Thatās probably a lot more accurate, and doesnāt discount that there are 10.000 other types of attacks on servers. And it is still clickbaity enough to upset a few pedantic people
But please understand - there are two things that make a project like Nextcloud successful. Doing interesting things is one. And the other is talking about it. If you donāt do one of those, youāll just end up another irrelevant product and that is not what we want so yeah, we talk about it. And use most tricks in the book. Not all, we donāt pay google and facebook for ads, for example, but we do try to write, ehm, good (maybe clickbaity) titles to get attention for example. And we develop some features almost purely for PR reasons.
I totally get that some of you donāt like that, really. I donāt like sensational news or people who intentionally post outrageous stuff on twitter to get more followers. But the sad reality of the world is that it works and thus we canāt afford to not play the game if we want to be relevant. And I want MORE for Nextcloud to be relevant than that I want to be super realistic and be liked by everyone in tech all the time, sorry.
As another outrageous example Iām happy to discuss with tech people is how NextCLOUD is totally wrongly named and isnāt a cloud at all because a cloud is (blablabla). Iām happy to agree, it is 100% correct: Nextcloud is not SaaS, PaaS or IaaS. It is not a cloud in terms of AWS and OpenStack. But we still wonāt rename it. And we donāt apologize for this name because IT WORKS, laypeople understand the name even if it irritates a few pedantic nerds. Sorry, not sorry. See, you can be right AND wrong at the same time
It was on topic. It seemed to me not a great idea to give ālaypeopleā the impression that their Nextcloud would be safe from 99.9% of attacks by implementing 2FA. Then we got a rather less than positive responseā¦
Ha, good catch, I wrote it quite a while ago, donāt even remember when - I wanted to urge people to use 2FA and explain the options, I had written that part. But then I was kicked by, I think, this or a similar article which made for a good headline that encourages people to protect their server with 2FA. And then it was in a drafts folder for a long timeā¦
And for everyone complaining about the article - feel free to contribute nice, positive blogs to our website. Iād be totally happy to take guest posts about useful things that help our users keep their data safe or similar. If youād rather just be negative may I suggest to go on twitter and join the millions of others there doing that all day long?
Thereās a US president who does outrageous things to complain about EVERY DAY.
Indeed. I donāt think anyone was being harsh or negative, or had any idea who wrote the blog post. It just seemed like a bit of a silly claim, that could give a false sense of security to casual users, and could easily be corrected. Ideally without the pejoratives.
I would consider myself a beginner (ālaypersonā) in nextcloud, especially when it comes to security. But while reading the post I never had the impression, that 2FA is the holy grail of security. Some of the statements that are used in there are pointing out that 2FA is good starting point to get at least a reasonable defense at the most common attack vector.
At the end of the day, everyone who uses nextcloud (or any other software) is responsible for his own security, which leads to the necessity to deal with the subject and educate him-/herself.
As somebody āfrom the frontā often argueing with stakeholders weather to use Nextcloud or not, such sensational articles cause a lot of harm. In the end they are picked and used as arguments against Nextcloud, how it considers Security.
You should better adjust your marketing. If your indicators for success are hits and pageviews, than this is the beginning of a race to the bottom.
Update: I see youāve modified the title to āuser account attacksā thatās more clear! Thank you!
Some of my clients refuse to use 2FA while they have sensible datas on a macbookpro without session password ā¦ because itās so annoying for them to open the TOFP app and type a 6 Digits codeā¦
So i made them sign a paper that itās not my responsability if datas are stolen from their machinesā¦
You have a lot of choice to harden the security of your account, but i donāt like Notifications, nor email, nor smsā¦ i prefere 2FA and keys.
While 2FA can be considered annoying it is probably one of the best defenses against getting hacked. As leaking data happens often due weak credentials.
@Nemskiller do any of your clients use keys? Found the support in windows so far lacking and rather frustating to use. Got to admit, tested it half a year ago.
There is a huge difference in the way articles about MFA (2FA, OTP) are read by ābusinessā and āhomeā usersā¦
At work it is relatively easy to do and lately much much cheaper than it used to beā¦
In home user-land convenience is all that matters! Case in point: MP3 vs. other audio formats.
The only ways to implement it is to force it (i.e. online banking) or to hack and scare a user sh!tless for NOT using itā¦
We use MFA for longer than Nextcloud, since the times RSA SecurID was the only game in town.
It is anything but convenient. Today even offering people free U2F Yubikeys canāt convince them to use it at homeā¦
Should people use it to protect their accounts? Definitely.
Will they do that? 99.9% wonāt (until a disaster strikes)ā¦
because itās so annoying for them to open the TOFP app and type a 6 Digits codeā¦