How to enable two-factor authentication on Nextcloud 10


Image: Jack Wallen

The time has come to enable two-factor authentication on every possible service you use or host. If you’re not using two-factor authentication, you run the risk of getting hacked…it’s that simple.

What is two-factor authentication?

You log into a service with your usual credentials, and then you’re required to enter an authentication code to access your account. Those authentication codes are found using mobile apps such as Authy or the Google Authenticator. Without that code, you cannot get in.

The need for higher security is why the developers of Nextcloud made sure to include an app for two-factor authentication in the latest beta release of 10. You must be running Nextcloud 10 for this to work; if you meet that requirement, you can enable two-factor authentication on Nextcloud 10.

SEE: Nextcloud 10 beta includes two-factor authentication security (ZDNet)

Enable the app

The first thing you have to do is enable the two-factor app. Because this is of an experimental nature, you have to start by enabling access to the available experimental apps. This is somewhat hidden—here’s how to find it.

  1. Log in to Nextcloud 10.
  2. Click the Apps drop-down in the upper left corner and click Apps.
  3. Click the gear in the lower left corner.
  4. Click to Enable Experimental Apps (Figure A).
  5. Click the Apps drop-down and click Apps.
  6. Click Tools in the left navigation and scroll down until you see TOTP Two Factor—click the Enable button associated with this app (Figure B). Two-factor authentication will be enabled for your Nextcloud 10 server.

Figure A

Figure A

Figure A

Image: Jack Wallen

Enabling the Experimental Apps in Nextcloud 10.

Figure B

Figure B

Figure B

Image: Jack Wallen

With a single click, two-factor authentication will be enabled.

How users enabling two-factor authentication

Here’s the tricky part: Once you’ve enabled the app, you still have to enable two-factor authentication for each user. This is done by the user—not the administrator.

  1. Log in as a Nextcloud user.
  2. Click the User drop-down in the upper right corner.
  3. Click Personal.
  4. Select TOTP Second-factor auth in the left navigation.
  5. Click the check box for Enable TOTP.
  6. Open your mobile two-factor app.
  7. Walk through the process of adding a new account (this will vary, depending upon which app you use).
  8. Using your two-factor mobile app, scan the barcode presented by Nextcloud.

Now log out of Nextcloud and log back in. You’ll have to click the Authenticate with a TOTP app button and then enter the code (Figure C) from your mobile app.

Figure C

Figure C

Figure C

Image: Jack Wallen

Logging into Nextcloud with two-factor authentication.

Make two-factor authentication the default

On every service you use—whether it’s for social networking, shopping, cloud, etc.—you should have two-factor authentication enabled.

Bravo to the Nextcloud developers for making this setup so easy that anyone can add a second layer of security to their company’s cloud service. Consider this a must-have the second you upgrade Nextcloud to version 10.

Also see

St. Jude Says Muddy Waters, MedSec Video Shows Security Feature, Not Flaw

Feud between St. Jude Medical and Muddy Waters and MedSec continues with the former reiterating safety feature of its implantable devices.

St. Jude Medical has refuted the recent flawed-device allegation made by Muddy Waters Capital and MedSec and has issued a statement saying the “flaw” was actually a “security feature.” Muddy Waters and cybersecurity firm MedSec had released a video on August 29 to demonstrate that some of St. Jude’s implantable devices were soft targets of cyberattacks.

“We want our patients to know that they can feel secure about the cybersecurity protections in place on our devices,” said Michael T. Rousseau of St. Jude Medical adding that the “crash” implied by the Muddy Waters video was in reality a display of the Radio Frequency (RF) Telemetry Lockout security feature of the company’s pacemakers.

“If attacked, our pacemakers place themselves into a ‘safe’ mode to ensure the device continues to work,” further elaborated Phil Ebeling of St. Jude Medical.

St. Jude claims its implantable devices include features that bring down dangers of unauthorized commands issued to them and thwart crash attacks.

For full press statement, click here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

Florida Man Pleads Guilty To Cell Phone Fraud Involving $1 Million

Edwin Fana compromised identifying data of victims and used them to conduct thousands of international calls.

Edwin Fana, a resident of Florida, has admitted to a cell phone fraud operation that resulted in $1 million in losses to victims whose telecommunication indentifying data was hacked and stolen to make international calls to countries with high calling rates like Cuba, Jamaica, and the Dominican Republic.

The US Department of Justice said Fana and his co-conspirators carried out identity theft of US nationals and used the stolen data to open new cell phone accounts. The phones, controlled by the criminals, were then re-programmed to make international calls which were billed to the victims’ accounts.

As part of Operation Toll Free, the FBI arrested Fana in 2012 and seized from the “call site” at his residence around 88 cell phones with nearly 11,000 telecommunications numbers.

Sentencing would be at a later date.

Read details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

How Not To Pay A Ransom: 3 Tips For Enterprise Security Pros

At the most basic level, organizations must understand their data, the entry points, and who has access. But don’t forget to keep your backup systems up to date.

Securing the enterprise is complex and always evolving. Ransomware has been garnering more and more attention from CIOs as well as CISOs as it impacts every organization from a financial, efficiency, and brand perspective.

Ransomware’s alarming growth, in conjunction with the velocity that ransomware variants are being published, are positioning the enterprise market to quickly catch up to the consumer market in terms of exposure and vulnerability. Consider:

  • The FBI estimates that crooks extorted $209 million in ransoms in the first three months of 2016 alone.
  • McAfee’s recent Threats Report has discovered 5,000 versions of 21 mobile applications that are being used to operate mobile collusion attacks on victims.
  • The introduction and tracking of the ransomware “FLocker” which attacks Android-based applications and has crossed platforms to lock smart TVs.

Ransomware is typically introduced into a corporate network through an individual employee.  The employee is a victim of phishing, spear phishing, “social engineering” and similar deceptions designed to trick employees into clicking a link that launches the software. From this point of entry, ransomware spreads like wildfire across less secured document-sharing servers like SharePoint and other collaboration services used by employees.

To date, the healthcare sector has gained a large number of national headlines for being victims of ransomware. Most recently, Hollywood Presbyterian Hospital in California paid off its attackers (approximately $17,000 in the form of Bitcoins) to restore access to their healthcare data.

I believe that what we have seen happen in the healthcare industry is only a starting point for ransomware. In today’s competitive marketplaces, organizations are supporting the distributed enterprise, which includes connecting the edge of the enterprise to corporate networks. Additionally, we are seeing organizations move toward the Internet of Things (IoT). These two trends are on a collision course, exposing vulnerabilities within a corporate network and making enterprises ripe for greater ransomware attacks.

How can enterprises prevent the introduction of ransomware and mitigate the risk once a breach has been introduced? At the most basic level, organizations must understand their data, the entry points, and who has access. This information insight, if gathered on a proactive basis, creates the foundation for advanced information management and governance policies which are your best option for minimizing the impact of ransomware. Below are three tips to ensure that your organization does not pay a ransom:

Tip 1: Proactively understand and protect your data.  This is not a simple task, however it is essential if you want to manage your risk, prepare for the future, and eliminate the threat of ransomware before you are victim. It requires that enterprises categorize and assign information by relative value, sensitivity, and risk. Categorizing information insight allows you to create proper records management and information governance procedures to ensure that your most important data is always secured and archived. In doing so, organizations are often able recover the ransomware encrypted files without having to pay a ransom. 

For example, Hollywood Presbyterian Hospital paid $17,000 because they could not say for sure whether the infected PCs contained sensitive information or not. Had they followed proper records-keeping procedures, they would not be worried about losing data to the cybercriminals.

Tip 2: It’s not your father’s backup and recovery.  Backing up data in a legacy fashion exposes your organization to risk and unnecessary cost. Today’s enterprises need to consider backup and recovery solutions that allow for backing up of data on the go, storing previous revisions of the files, offer effective file recovery techniques, and isolate the backup environment such that ransomware cannot access backup data.

Tip 3: Ransomware is an evolving threat. Today’s cybercriminals are evolving their techniques to access critical applications like email, and holding the data ransom until paid.  In June, the Democratic National Convention (DNC) reported that its system had been compromised. But unlike DNC hackers that leveraged the unlimited access to the DNC’s systems for intelligence, today’s cybercriminals could target any company and threaten to encrypt, copy, and publish that data if not paid.

Related Content:

David Jones is senior vice president and general manager of the information management and governance business unit within HPE. In this role, he is responsible for defining the business vision, strategy and goals and driving the product management, sales, marketing, service … View Full Bio

More Insights

Cybersecurity Self-Esteem: 4 Things Confident Teams Are Doing

By increasing our cybersecurity self-esteem, we can truly make a difference in raising our collective cybersecurity resiliency.

Security teams need to hear a public service announcement. “Believe in yourself. Have confidence. You can do it!”

It may sound corny, but it’s true. I’ve spoken to more than 600 organizations — from mature businesses to entry-level startups. What I’m noticing is that many of these cybersecurity teams — from Singapore to Silicon Valley – do not have good self-esteem right now.


Progressive security teams are advancing largely because they “believe.” They believe they can improve their postures; believe they can achieve some form of resiliency; and look at their battlefield with an engineering mindset. Other security teams aren’t faring so well. Too many practitioners give others too much credit and not enough to themselves.

I see and hear low self-esteem all the time:

“Oh, but our team isn’t advanced.”
 “Yes, but we’re not software engineers.”
“Our budget isn’t as big as theirs.”
 “We’re already overwhelmed with AV alerts.”

While I understand why these teams think they cannot change their own status-quo, they are wrong. They simply don’t realize what they’re capable of. They give up at being transformative or at moving to a higher maturity level — often without much of a fight.

Wasting Time

A lack of cybersecurity self-esteem leads to wasted “security time.” We’ve already said we don’t have enough people, so why do we fail to optimize how our teams spend their time?

We should be looking at getting the greatest return-on-investment from security time. Does your team do any of these things:

  • Repeatedly respond to false alerts? 
  • Manually conduct lookups to see when a domain was registered? 
  • Fight with committees to get ports opened for your security tools? 
  • Sit in meetings that really don’t require them to be there?

I see all of these way too often. Security teams are often not able to use their time most effectively. And so we fail. The adversary goes undetected. Tools aren’t configured properly. Valid alerts get lost in the noise, or the hunt to find that evasive intrusion never happens. Then the annual security reports come out reflecting detection and response times in months rather than minutes. This has to change.

Building Up Our Confidence

The silver lining here is that we can build up our confidence. There are success stories. There are teams with 100,000 computers and only two FTEs that are finding and eradicating evil, and doing it in more and more automated ways.

There are companies that send their employees with little more than a laptop into countries where cyber hygiene hasn’t yet become a trend, and these teams are able to find threat signals. There are teams of one or two people at banks that are continuously improving their posture so much that the red-teams are frustrated.

None of these teams are perfect, but they are progressing and raising the bar for their adversaries. Here are four things I’ve seen confident teams do successfully to help build their cybersecurity self-esteem:

  1. Extend an olive branch to IT: While you might not be enemies with IT, you probably don’t have the best relationship. IT is the ultimate provider of security, so the more you can leverage IT to have gold images, setup proxies, use whitelisting of domains, URLs, and applications, and restrict user accounts, the easier your life will become.
  2. Make security a team sport: Can you get employees excited? Can you leverage that excitement so that each user is more vigilant, more cautious when doing things, and more willing to give up some freedoms such as installing random software or visiting certain websites? This vigilance goes a long way in reducing the number of threats and noisy events that clog your analysis systems.
  3. Pick a tool or technology and leverage the hell out of it: Teams have too many tools, too much information, and are overloaded with defensive “weapons” and information. Pick one type of log or technology and become experts in it. Use every feature. Leverage every alert or log and tune it to make sure the ones you don’t need to see are no longer sent. Push it to its limits. Then move on to the next. You’ll find that you really only need a handful of tools or logs for most of your security.
  4. Empower your team: Make hunting a perk. Empower your team to go find stuff and reward them for their time spent “outside the box” of responding to alerts. Get the team to take pride in their security posture. Be sure to keep meetings and other non-essential items to a minimum so your team feels like the Special Forces they are. Unless a meeting or task is vital, keep them in the game while they’re on the clock. Then let them disconnect and rejuvenate. This will pay dividends for your organization and will also help with retaining employees.

There’s a huge “can’t do” attitude that’s plaguing security teams. This attitude arises because security leaders and practitioners have hit too many walls, often made of human flesh. It’s time to stand up and say: “No. This is our environment. We are going to protect it.”

We may never be perfect, but we can do better. By increasing our cybersecurity self-esteem, we can truly make a difference in raising our collective cybersecurity resiliency.

Ben Johnson is cofounder and chief security strategist for Carbon Black. In this role, he uses his experience as cofounder and chief technology officer for Carbon Black, which merged with Bit9 in February 2014, to drive the company’s message to customers, partners, news media … View Full Bio

More Insights