As you may have read in the official Nextcloud announcement we’re today releasing the Nextcloud 10 beta release. Besides adding a lot of awesome new features it also includes several security hardenings, such as adding support for a native bruteforce protection and Two-Factor Authentication.

Nextcloud commits to keeping your data secure, we’re even going so far to offer up to $5,000 for security bugs. You can learn more about it in an earlier blog post of mine.

Adding more sane defaults

We’ve been thinking about the casual user and how to improve login security without adding any effort.

That’s why this release will also include a by default enabled bruteforce protection. The current implementation works by throttling all login requests coming from a specific subnet. This means, if an IP has triggered multiple invalid login attempts all future auth requests from that subnet will be slower. (up to 30 seconds)

This certainly is a good step in the right direction and we’re planning many enhancements. Keep on reading to learn about them.

Two-Factor in Nextcloud

While brute force protection is a major improvement, users can do more to protect themselves if they’re willing to do a little bit more work. That is where Two Factur Authentication comes in.

So two-factor authentication, as the name suggests, adds a second ‘factor’ to the authentication process. For example, you now have a password. As second factor, you could require a finger print too. Or you can have a combination of a chip card and a pin code, or an iris scan and specific spoken word. The idea behind two factor is always to combine two distinct factors so the theft of a single one (like your chip card or mobile phone or password through a security breach) is not enough to gain access to a system. Typically, two factor combines thus “something you know” (like a password) with “something you have” (a chip card) or “something you are” (iris or fingerprint scan). Note that two passwords or two chip cards makes little sense in this scheme!

I started to work on implementing the core of two factor authentication in late 2015 and created a working proof of concept as well as API suggestions. At that point, Christoph Wurst got involved and reworked the code and API into a much cleaner and future proof implementation. In the months since then we brought the code to a state where we believe this is production ready.

Currently, the Nextcloud server offers an API which essentially allows apps to register themselves as provider and define a callback after a user has logged-on. So, to get an actual second factor as part of your authentication process, you need to install an app. Several of these are already written by Christoph and we’ll put them up for easy download the coming days so you can experiment with it. Their abilities include authentication with a token app like Google Authenticator or authentication via SMS.

If you want to check out some actual code examples take a look at the TOTP authenticator or the SMS authenticator. Writing your own provider is an easy and small task and we expect a few more to crop up the coming weeks.

Verify screen for TOTP

What’s coming next

We know that the current implementation is not a panacea and we’re planning on hardening these features even more. Ideas currently tossing around hardening these features include:

  • Adding the bruteforce protection also on password protected shares (server/478)
  • Give IPs more trust if they already logged-in to the same account before (server/492)
  • Optional ability to block user account after many failed login attempts (server/493)

Of course, these are just ideas. If you have your own ideas and improvements just file them as enhancement request as well or, even better, do a pull request!

Any help on implementing them is utmost welcome! If you’re a PHP developer and want to help let me know via our forums, IRC (#nextcloud-dev) or via email to [email protected] Let’s work together on making Nextcloud even more secure.