Nextcloud 2FA and App Passwords

christiaan

I want to turn on 2FA in Nextcloud using the TOTP app.

I understand you need to generate separate 'app passwords' for all the devices/apps that need access.

But do you have to create a password for every single app or device? Or can you just create one 'app password' and use that for, example, your iPhone and Mac calendar, contacts and file sync**?

** Do you actually need to use an 'app password' for desktop file sync or will that continue to work as normal, having been verified via web browser granting permission already?

nebulon

This is probably more a question to be asked with Nextcloud upstream project itself. But given these are app passwords, I would expect that each client/device needs its own.

christiaan

Yeah, sorry, sometimes I'm not sure whether to post here or on Nextcloud because I'm not sure if there are some Cloudron-specific implications to think about or not.

I found the comment below on Nextcloud forum. It sounds like you can create just one password for all devices/apps, but it's not intended to work that way. Although it seems to me you don't lose much functionality compared to the convenience? If a password is compromised you replace it and update all your devices/apps. The main password is still safe and protected by 2FA.

https://help.nextcloud.com/t/app-password-not-working-as-expected/28744

The idea behind this is:

• the user creates one app password for each app
• uses a different password for each app
• (optional) uses a different app password for the same app on a different device
• can see in Nextcloud GUI which “app” (or device) logged in last
• • can discover compromised passwords due to unexpected login behavior
• • can revoke the compromised password and set a new one, without the need to change the “normal” password for your account (security gain)

murgero

@christiaan said in Nextcloud 2FA and App Passwords:

I understand you need to generate separate 'app passwords' for all the devices/apps that need access.

This is incorrect (maybe except for the PC version??) all you need is to open the nextcloud app on android or ios (if that's what you are using) then login normally, it will ask for 2FA so switch apps, copy number, switch back and paste it. Then allow the app to use your nextcloud account. Then use the app to sync contacts and such (or use a third party tool)

mario

What the mobile apps do is:

• you enter username password
• you enter 2FA, if needed

The server generates the app password and passes it to the application which then uses it.

So in most cases, there should be no need to generate one yourself.

christiaan

@murgero said in Nextcloud 2FA and App Passwords:

@christiaan said in Nextcloud 2FA and App Passwords:

I understand you need to generate separate 'app passwords' for all the devices/apps that need access.

This is incorrect (maybe except for the PC version??) all you need is to open the nextcloud app on android or ios (if that's what you are using) then login normally, it will ask for 2FA so switch apps, copy number, switch back and paste it. Then allow the app to use your nextcloud account. Then use the app to sync contacts and such (or use a third party tool)

Okay great, I see, but this is just for mobile app/file sync right? For calendar and contacts sync I will need to generate app passwords if 2FA is on?

mario

@christiaan Davx5 also supports this kind of login. For apps that do not support it we indeed do recommend for you to generate app passwords yourself. (there are various advantages to app passwords, like remote wipe if the app supports it).

murgero

@christiaan If the contact sync is android, the Nextcloud app can handle this for you as well - I use it. I've never had to generate app passwords myself. Always just let my mobile app do it.

christiaan

All iPhones and Macs at our end.