Nextcloud open source software package has plenty of options for securing data it stores, and for providing secure mechanisms for accessing the cloud services it provides. If a Nextcloud server is accessible on the public internet, the first thing to do is to secure login to the server so that outsiders really have hard time if they try to hack in. This article explains the secure login options Nextcloud provides, and shows how to install and use one of them: a remarkably easy login mechanism that relies on Nextcloud Notifications.

Recently, a blog post on Nextcloud.com offered a detailed explanation on all the possible ways it is possible to configure secure user login for a Nextcloud server. The pleasant surprise in the blog post was that I discovered secure login methods I wasn't even aware of.
Here is a brief introduction to each secure login before I make a recommendation which ones you might want to try.

A) Two-factor authentication using a time-based one time password, often abbreviated as OTP, or TOTP. This is generally regarded as a secure mechanism that can be used with many systems ( read more about practical ways to use OTP here) - in addition to Nextcloud. OTP requires users to type multiple passcodes, and setting it up requires an effort.

B) Second authentication via Nextcloud Notification. This is a smart and easy way to login to a Nextcloud server. In addition to ordinary login credentials, Nextcloud's Notification system is used as a light-weight second-factor authentication method. I will show you how to configure this.

C) Text message, Telegram, Signal or another secure messaging app as a transport mechanism for the second authentication layer. This is relatively easy to use and to set up, but especially text message isn't the strongest secure communication method.

D) Passcode via email. An additional passcode is sent to the user via email. Easy to set up and use. If the entire end-to-end email system is secure, this can be a secure method.

E) Dedicated hardware. Small USB key-like products, like Yubikey or Nitrokey can provide very secure two-factor authentication. Requires the purchase of additional hardware, setting it up, and always carrying the hardware product along.

F) Backup code. Nextcloud server can create passcodes that are valid only once. These codes can be used as an authentication mechanism, but primarily they are meant for rescuing a user who has lost other means to login. If you activate two-factor authentication, backup codes are an essential survival method, for instance, if you lose your phone used for authentication.

Individuals and organizations that already have a OTP two-factor authentication system (option A) in place and are used to it, should feel comfortable using the technology with Nextcloud servers as well.

Nextcloud admins and organizations that are starting their journey with two factor authentication should appreciate the easy and user-friendly Notification authentication feature.

How does the Nextcloud Notification authentication work?

The reason I think Nextcloud Notifications is a smart way to securely login to a cloud server is that it cleverly uses a service that is already built in to the system.

Let's say you want to login to Nextcloud from your work computer. You enter your user name and password. Then, Nextcloud waits for you to approve the login attempt on another device. Probably you have your phone somewhere nearby. Pick it up and you will see a notification from Nextcloud asking if it is all right to let someone at a specific IP address in. Just push a button on your phone to approve or reject the attempt. Done.

This is so damn easy that it must be some downsides to it. The first is that you must be logged in to your Nextcloud account on your phone (or on any other device that can access Nextcloud) when the approval notifications arrives. The second is that the approval notification pops up on all devices and computers that are logged in to your Nextcloud account. Still, Notifications is good enough, and much better than relying solely on standard user name-password authentication.

Configuring Nextcloud Notifications to provide simple two-factor authentication

1) Install the Notification Authentication app on the server. You can find it in admin panel at: Apps - Security - Two-Factor Authentication via Nextcloud Notification.

2) Enable the app. Go to: Settings - Personal - Security. On the page, select Enable Notifications.

3) Create backup codes. On the same page as in the previous step, push the button: Generate backup codes. The codes will be listed on the page. If you have a password manager app, copy the codes into the app, or print the codes, or find another safe place for them (that you can access also when away from your current location).

4) Ensure you are logged in to your Nextcloud account on one or two other devices. On a mobile device, ensure your login is active on a browser as well.

5) To test that it works: log out from Nextcloud on your primary computer. Log back in. Nextcloud Notification screen waits for your approval that you have to do on another device.

6) Pick up your phone or another device that is logged in, view the Notification, and push Approve button. Now, you are logged in to the server on your primary computer.

We didn't have time to study why the Nextcloud Notification app on Android didn't work for secure login. Nextcloud app version 3.10.1 and 3.11.0 on two Android devices correctly displayed the approval notification, but froze then. Nonetheless, mobile web browser notifications worked fine for secure login authentication.