Nextcloud Two-Factor Authentication
Using a Nitrokey to log into Nextcloud
Since Version 11, Nextcloud supports Universal Second Factor (U2F) login within compatible browsers. Finally, Nextcloud‘s Android client provides U2F in version 3.8.
Security keys are an easy and exceptionally robust way for second-factor authentication. Recently, Nitrokey and Nextcloud partnered up to encourage this login mechanism. Now, COTECH joins as a software partner.
The result is a usable login flow: At the bottom, a dialog indicates that user interaction is needed during U2F login. Users get assistant with helpful animations if they are not familiar with the concepts of security keys on mobile devices.
The most common security keys are compatible with our implementation. Users can use them via USB or NFC. Just a simple touch with the key on the back of the device and the user is logged in. But USB usage is similarly easy: Plug in the key and press its button to indicate user presence.
Everyone should take a closer look at the NFC help dialog. It helps to find the NFC sweetspot, in other words, where the device’s NFC antenna works best. It uses a local database of phone models where the best spot is known.
U2F is just the first step. In the future, Nextcloud, Nitrokey and COTECH will bring a real passwordless login experience to mobile devices using the WebAuthn standard. One authenticator will replace all user passwords, including that for Nextcloud.
Why did it take that much time?
On Android, there is no U2F API available in a WebView, Android’s in-app browser view, which is used by Nextcloud for its login flow. COTECH’s Hardware Security SDK changed that. It hides away the difficulties of communicating with security key and provides an easy API for developers. So that Nextcloud can bring U2F to its Androids users.
The integration of the Hardware Security SDK was ready within 18 lines of additional code. Nextcloud’s WebView uses the U2F Javascript API injected by the Hardware Security SDK. After that, all U2F calls are handled. We provide a guide of the implementation with a detailed look including code snippets.
Can I use the Hardware Security SDK in my app?
Yes, we would love to get in touch with you. Please contact us at support@hwsecurity.dev.
Dr.-Ing. Dominik Schürmann
Before founding the company, Dominik Schürmann was a researcher at the Technische Universität Braunschweig and worked on network security and cryptographic protocols. Yet, he did not lose sight of the usability aspects of IT security and conducted several user studies.