Next generation 2-factor authentication

Security continues to be a key concern for Nextcloud users. To improve the protection of Nextcloud servers, this release enables administrators to control and enforce 2-factor authentication globally or on a group-by-group base. New are also one-time codes for system administrators, to be used when the 2-factor is unavailable.

All users will be warned to generate their one-time codes as soon as possible and store them somewhere safe. Administrators have command-line control over 2FA, in case they or users are locked out of their account.

To lower the effort of using the 2-factor for secure authentication, notifications from devices already authenticated can be used as 2-factor. This way, a mobile device can approve authentication in a browser, or the desktop client can approve authentication on a phone. The user simply gets a notification and can approve it.

Further hardening of Nextcloud

To harden Nextcloud further, this release brings more strict CSP (Content Security Policy) rules providing even deeper protection from Cross-Site Scripting vulnerabilities. The third generation of our App tokens improves handling on external password change. This reduces the number of times users have to re-authorize their client applications as the clients can get re-authorized automatically, provided one of the users’ logins is valid.

Details on CSP and App Token V3

Our CSP no longer by default allows unsafe-eval. This blocks the javascript eval function. Developers can effectively no longer interpret text as instructions. You could insert the following code:


And it would just work. Now it no longer does. This means app developers will have to update their app and keep this limitation in mind. Nevertheless, code injection attacks by a hacker become significantly harder with our stricter CSP.
Over the last 2 years, our technology evolved from app tokens which were invalidated whenever the user changed their password (V1) to public key app tokens that would be updated on password change (V2). V3 is adapted to work with LDAP or other external authentication mechanisms. Upon the first login in the web or any client, all app tokens are updated.

If you have questions please contact our Support in your account section.

©2022 LivSmart


Send us a message


Log in with your credentials

Forgot your details?