User Two-Factor Authentication

Introduction

With two-factor authentication (2FA), users can access their ownCloud web accounts only by using a trusted device like their mobile phone. When users want to sign in, they need to provide two pieces of information (factors):

  • the password,

  • the six-digit verification code that’s automatically displayed on the trusted device or sent to the phone number.

Setting Up 2FA

To provide 2FA functionality, an app like the 2-Factor Authentication needs to be installed and enabled.

If a two-factor provider app is enabled, it is enabled for all users by default but a user has to opt-in, though the provider can decide whether or not the user has to pass the challenge.

Troubleshooting

Tasks for the User

Because the user has to opt-in, see the Security section in Personal Settings link for tasks on the user side.

Second Factor is Inaccessible

In case a user loses access to the second factor, e.g. by breaking or losing the phone with two-factor SMS/app verification, the user is locked out. To give the user access to the account again, an admin can temporarily disable the two-factor check for that user via the occ commands for Two-Factor Authentication. After the issue has been fixed, the admin can reenable two-factor authentication for that user.

Manage Secrets

If owncloud’s 2-Factor Authentication is used, the admin can manage the secrets via occ Two-Factor TOTP commands.