Nextcloud Passwordless with Token2 T2F2 FIDO2 Keys

The passwordless feature has been just added onto Nextcloud V19. It allows authentication without a password. WebAuthn's support makes it possible using a Fido2 USB key. You'll find here the step by step guide to enable your Nextcloud account with the password-less authentication. The guide was originally published by sosandroid, in English and French

Test service

Prerequisite

A server or laptop running Docker is used here. There are other ways to test, we chose that one. You'll also need a valid domain with a valid SSL cert (not self-signed). This guide is based on a test container using the docker-compose.yaml. It has been launched using the following command line.

NEXTCLOUD_URL=mydomain.tld NEXTCLOUD_ADMIN_USER=admin NEXTCLOUD_ADMIN_PASSWORD=mypassword docker-compose up

Authentication WebAuthn / Fido2

The following key has been tested: Token2 T2F2 ALU for this test.

Set a PIN code

Before you can enrol the FIDO2 key a PIN code needs to be set. This can be done using standard control panel applet (available with Windows 10 starting 1903 release)

Nextcloud Passwordless with Token2 T2F2 FIDO2 Keys

You can also use the TOKEN2 Companion app to set the PIN-code on your FIDO2 Key.  

Set your PIN code. 1234 for instance.

Set your Nextcloud account

  1. Insert the USB key into the computer
  2. Authenticate using your account and password
  3. Go to the settings

settings

  1. Navigate to Security
  2. Start adding a WebAuthn device

webauthn-0

  1. A pop-up asks you for the PIN code

webauthn-1

  1. Press the key button to enrol it

webauthn-2

  1. Give the key a cool name

webauthn-3

  1. You're set


1st authentication

  1. Insert the USB key into the computer and log out from your Nextcloud account
  2. From your browser, refresh the Nextcloud's login: https://mydomain.tld/login

cnx-0

  1. Click Log in with a device
  2. Fill your login and press Log in

cnx-1

  1. Enter your pin code

cnx-2

  1. Press the hardware button of the USB key

cnx-3

  1. You're in

Tested Browsers

Fido2 key enrollment

Nextcloud System Browser Version Result
19.0.0.12 Windows 10 Firefox 79.0b2 Fail
19.0.0.12 Windows 10 Chrome 83.0 Fail
19.0.0.12 Windows 10 Edge 83.0 Success
19.0.0.12 Windows 10 Vivaldi 3.1.1929.45 Success

For the authentication

Nextcloud System Browser Version Result
19.0.0.12 Windows 10 Firefox 79.0b2 Success
19.0.0.12 Windows 10 Chrome 83.0 Success
19.0.0.12 Windows 10 Edge 83.0 Success
19.0.0.12 Windows 10 Vivaldi 3.1.1929.45 Success
19.0.0.12 MacOS 10.15.5 Firefox 78.0 Success
19.0.0.12 MacOS 10.15.5 Safari 13.1.1 Success
19.0.0.12 MacOS 10.15.5 Chrome 83.0 Success

Footnotes

  1. On Nextcloud the login/password authentication remains active. You must then choose a strong password as per common security rules.
  2. The consequence is you cannot be locked out by losing your USB key
  3. When the session expires or when changing some settings on your account the password is requested.
  4. While authenticating, depending on the OS / Browser the PIN code can be requested or not. This is normal behaviour
Currency
€ EUR $ USD CHF
Integration guides
Citrix Netscaler Native OTP
Azure MFA with AD Free license
Azure MFA with AD P1/P2 license
Passwordless login with T2F2 keys
Wordpress hardware tokens plugin
Hardware tokens for Google
Hardware tokens for Facebook
Meraki dashboard
Stripe dashboard
Hardware tokens for Sophos
ProtonMail 2FA
Amazon Web Services (AWS)
UserLock + Azure MFA
WebUntis [in Deutsch]
Blog
New integration guides published: Nextcloud and Fortinet...

New generation of Molto-1 device, now iOS compatible...

TOTP Hardware tokens with ESET Secure Authentication...

more posts

Large Volume Orders
For large orders, Token2 offers volume discounts.If you are interested in larger volume orders, please contact us and we will get back with a quote immediately
Burner apps


We are using cookies. By using our site you agree with ToS  ok