Easily setup Signal 2FA on Nextcloud 14

Two-factor authentication (short 2FA) is an important security concept to secure unauthorized access to your web applications. Popular online services like Google Mail, Instagram or Facebook already provide this mechanism to secure user accounts with an additional one-time token. Considering someone is able to obtain your username and password combination, for example on a public internet terminal in the library or the airport, he or she won’t be able to gain access on a second device without knowing the additional security token (the second factor). This token will be send to you on a different channel or device.

Starting with version 14 of Nextcloud, there’s now also a new app called two-factor gateway which can send these additional tokens to Signal Messenger, Threema, E-Mail etc. Setting up this infrastructure is a bit more complex since your server must be able to support one of these gateways. In this post I’ll describe how to setup the Signal 2FA gateway on an Archlinux machine.

Signal 2FA setup

To get started, it is recommended to get a new, temporary “disposible mobile phone number” for the registration process. I ordered a batch of phone numbers on the site getsmscode.com (which is a bit shady …) and was able to register and verify this new number on the Signal servers. First, install the Nextcloud app and the gateway daemon:

pacaur -S nextcloud-app-twofactor-gateway signal-web-gateway

Put your phone number into the configuration file at /etc/webapps/signal-web-gateway/config.yml:

[...]
tel: "+1774****"
[...]

Configure the gateway and verify the phone number (you’ll receive the verification SMS on the merchant website):

cd /usr/share/webapps/nextcloud
sudo -u http ./occ twofactorauth:gateway:configure signal # leave default options (press return)
cd /var/lib/signal-web-gateway
sudo -u signal signal-web-gateway # enter verification
systemctl enable --now signal-web-gateway

Enable the twofactor gateway app in Nextcloud and configure it on your user settings page in the security part (see the following picture).

Next time you login into Nextcloud you’ll be asked for the token after entering username and password.

Your Signal gateway needs to approve your new device key in case you reinstall Signal on your phone. Otherwise the recipient is untrusted and you wont receive 2FA messages anymore. A quick workaround is to remove the old identity file and restart the gateway service:

rm /var/lib/signal-web-gateway/.storage/identity/remote_1234
systemctl restart signal-web-gateway

The filename “remote_1234” has to be changed, matching your recipient phone number.

Device and client specific passwords

Other clients which access your Nextcloud instance might need to be reconfigured after enabling two-factor authentication. For instance, I use the Android app DavDroid for syncing my contacts and calendar entries and it won’t be able to login with 2FA enabled. In such cases, you’ll need to generate an app specific password, as shown in the picture above, which will be used only by this app and won’t require 2FA.

💬 Are you interested in our work or have some questions? Join us in our public Signal chat pi crew 👋
🪙 If you like our work or want to supprot us, you can donate MobileCoins to our address.

Comments

  1. Excellent blog here! Also your site loads up very fast! What web host are you using? Can I get your affiliate link to your host? I wish my site loaded up as fast as yours lol

Leave a Reply

Your email address will not be published. Required fields are marked *