Security in Nextcloud: how to block 99.9% of user account attacks

Ha, good catch, I wrote it quite a while ago, don’t even remember when - I wanted to urge people to use 2FA and explain the options, I had written that part. But then I was kicked by, I think, this or a similar article which made for a good headline that encourages people to protect their server with 2FA. And then it was in a drafts folder for a long time…

And for everyone complaining about the article - feel free to contribute nice, positive blogs to our website. I’d be totally happy to take guest posts about useful things that help our users keep their data safe or similar. If you’d rather just be negative may I suggest to go on twitter and join the millions of others there doing that all day long?

There’s a US president who does outrageous things to complain about EVERY DAY.

1 Like

I think @jospoortvliet needs vacation …
The world is going crazy, every word written is now a dynamite for the community…

2 Likes

Indeed. I don’t think anyone was being harsh or negative, or had any idea who wrote the blog post. It just seemed like a bit of a silly claim, that could give a false sense of security to casual users, and could easily be corrected. Ideally without the pejoratives.

Wow, that escalated quickly…

I would consider myself a beginner (“layperson”) in nextcloud, especially when it comes to security. But while reading the post I never had the impression, that 2FA is the holy grail of security. Some of the statements that are used in there are pointing out that 2FA is good starting point to get at least a reasonable defense at the most common attack vector.
At the end of the day, everyone who uses nextcloud (or any other software) is responsible for his own security, which leads to the necessity to deal with the subject and educate him-/herself.

4 Likes

This is a statement I could agree with

As somebody “from the front” often argueing with stakeholders weather to use Nextcloud or not, such sensational articles cause a lot of harm. In the end they are picked and used as arguments against Nextcloud, how it considers Security.

You should better adjust your marketing. If your indicators for success are hits and pageviews, than this is the beginning of a race to the bottom.

Update: I see you’ve modified the title to “user account attacks” that’s more clear! Thank you!

4 Likes

Some of my clients refuse to use 2FA while they have sensible datas on a macbookpro without session password … :upside_down_face: because it’s so annoying for them to open the TOFP app and type a 6 Digits code…
:roll_eyes:
So i made them sign a paper that it’s not my responsability if datas are stolen from their machines…

You have a lot of choice to harden the security of your account, but i don’t like Notifications, nor email, nor sms… i prefere 2FA and keys.

1 Like

While 2FA can be considered annoying it is probably one of the best defenses against getting hacked. As leaking data happens often due weak credentials.

@Nemskiller do any of your clients use keys? Found the support in windows so far lacking and rather frustating to use. Got to admit, tested it half a year ago.

There is a huge difference in the way articles about MFA (2FA, OTP) are read by “business” and “home” users…

At work it is relatively easy to do and lately much much cheaper than it used to be…
In home user-land convenience is all that matters! Case in point: MP3 vs. other audio formats.
The only ways to implement it is to force it (i.e. online banking) or to hack and scare a user sh!tless for NOT using it…

We use MFA for longer than Nextcloud, since the times RSA SecurID was the only game in town.
It is anything but convenient. Today even offering people free U2F Yubikeys can’t convince them to use it at home…

Should people use it to protect their accounts? Definitely.
Will they do that? 99.9% won’t (until a disaster strikes)…

To really be positive and not off topic, i suggest you to increase your practice to NOT publish a ugly title just for “new world communication practice” who has nothing serious nor credible.
It is just make sense to see objective fact everybody can read again and analyze seriously.
There is difference between argumentation to democratically and technically try to be convincing (i love it) against trying to be persuasive with moving and scandalous rhetoric to push people (kind of any well known president you were talking about out off topic again).
This 30 years old new fashion way to communicate has not been invented by any new fashion guys there, but strongly used by communication specialists to sale shit.
Isn’t your job to learn this ? And did you apply it there ? wow… am wrong bad to show this point ?
Now trying to turn it to use same rhetoric technic to turn it back when i show the hot point…
Amazing, but no one there will fall again on that step.

So then… just try to communicate technical things and be convincing other would be nice and respectful.
Two factor authentication should increase safety a bit, but sure not push it to any 99% safe at all.
The best way is to let users choose there own degree of safety access by provide maximum tools to be used free. I think this is creative way to imagine tools.
Also the problem around 2FA is actually on local server the ability to collect data to send any unrelated links. Collect data actually is a big subject.
To be safer, maybe P2P technology should be better way to look at ?
Thank you for care about respectful communication.

1 Like

They are all OS X users, but don’t want (d’oh !) to use money for U2F keys (d’oh bis !)

“60% of the time, it works all the time” :man_facepalming:

1 Like

I’m Linux (Archlinux) and Unix (FreeBSD) user. You does not represent everybody then.
And yes, i can not push people to buy half price a good material who is not so fashion with a good OS instead of a good one very expensive and very fashion.
Some people like to feel fashion, some other like to be free.
In the same way, i don’t want to impose what should be the best practice of 2020 to be safe with a tool like Nextcloud. I would loose credibility on that point maybe…

I believe macOS Safari started supporting U2F after it was standardized by W3C, i.e. WebAuthn.
Some 6 months ago… Chrome worked before that, but Apple users tend to stick to Apple apps…

Another possibility is to combine 2FA with your own SSO setup, like Keycloak (fully open source, with no funny business.)

That allows you to require the use of the second factor less frequently, which can improve user acceptance. It’s also possible to configure it in a “trust machine” mode, so that you’ll only need to use 2FA every n number of days on your device.

I generally like the idea of having a dedicated secure SSO solution, which has only one job to do, rather than relying on the correctness of individual applications.

Dedicated standalone SSO/MFA infrastructure is considered enterprise-level service by Nextcloud.
Even the documentation for it is only for customers

Incorporating Nextcloud into Keycloak-based SSO with privacyIDEA would be an interesting project
https://www.privacyidea.org/versatile-2fa-single-sign-on-with-keycloak-and-privacyidea/

CERN standardized on Keycloak as its SSO engine for its MALT project

2 Likes

4 posts were split to a new topic: Uncomplete community documentation

Or you could be a so-called “hidden champion” out there who doesn’t need outrageous marketing tactics to be on the top of their game and still be top notch and well respected.

I also still don’t understand why you hate small and medium businesses so much. Kopano and Proxmox both have offerings for smaller companies out there (even without support so it practically doesn’t cost them extra) which is the majority of companies in the German speaking area as you should know.

1 Like

Everybody can contribute to the documentation. It’s another way if you want to give something back to the community and you can’t code.

Well, the 99.99% increase in security is obviously a marketing talk, you don’t even need to read the topic to know that. However, there is at least some information how to increase security and not 100% bullshit.

The discussion here is going off-topic. Most of the things are said, please open a new topic if you feel the need that something needs to be discussed. Closing…

1 Like