Nextcloud allows you to enforce groups to use two-factor authentication. Let’s find out how to create a group and then add them to 2FA enforcement.
Image: Jack Wallen
Nextcloud is a powerhouse of an on-premises cloud server solution. And with recent iterations, you can use it as a near drop-in replacement for Google Drive and Office 365. And for those that require a bit more security options than you’ll find with the competition, you’ll be glad to know that Nextcloud delivers.
Take, for instance, the ability to control two-factor authentication (2FA). With Nextcloud Hub (the latest release) you can enable 2FA globally, for individuals, or for groups.
It’s that last category I want to address—enabling 2FA for groups in Nextcloud Hub.
SEE: Hybrid cloud: A guide for IT pros (TechRepublic download)
What you’ll need
If you have installed the TOTP app (as demonstrated in How to enable 2FA on a per-user basis in Nextcloud), you’ll need to temporarily disable it. Once you have 2FA working for groups, you can then re-enable it, so users can then set it up to use for their login codes. If you leave TOTP enabled, you won’t get 2FA working for groups.
How to create a group
The first thing you must do is create a group. To do this, log in to Nextcloud with an admin account, click your profile icon in the upper right corner, and click Users. In the resulting window, click Add Group (Figure A).
Figure A
Adding a new group in Nextcloud.
” data-credit rel=”noopener noreferrer nofollow”> Adding a new group in Nextcloud.
You will be prompted to name your group. Do so and click Enter on your keyboard to save the new group. You will be prompted to type your admin password to complete the action. Type the admin password and click Confirm. Your group has been created.
How to add users to a group
Next you need to add users to the newly-created group. To do this click the edit icon (pencil) associated with a user. This will open the user editor, where you can then add the user to the newly-created group by clicking the group text area and selecting the new group from the drop-down (Figure B).
Figure B
Adding Olivia to the Editorial group.
” data-credit rel=”noopener noreferrer nofollow”> Adding Olivia to the Editorial group. 
Once you’ve added the new group, click the check mark and the changes will be saved.
Enabling 2FA for the new group
Now we’re going to enable 2FA for the new group we just created. To do that, click on your profile icon and then click Settings. In the resulting window, click the checkbox for Enforce Two-Factor Authentication. This will then reveal the group options (Figure C).
Figure C
The Nextcloud 2FA group options are now available.
” data-credit rel=”noopener noreferrer nofollow”> The Nextcloud 2FA group options are now available.
Click Enforced Group and select the new group from the drop-down. Click Save Changes and the group has now been added to two-factor authentication on your Nextcloud cloud server.
Once this is up and working, you then re-enable the TOTP app, so the users won’t have to use up their backup codes. Make sure your users then enable TOTP (as shown in the How to enable 2FA on a per-user basis in Nextcloud how-to). Once they’ve done that, they’ll then be able to use an authenticator app on their mobile device for codes. If they haven’t logged in before you re-enable TOTP, they will then be prompted to set it up upon next login (Figure E).
Figure E
First time login for a user who belongs to the new 2FA-enabled group.
” data-credit rel=”noopener noreferrer nofollow”> First time login for a user who belongs to the new 2FA-enabled group.
And that’s it. You now have two-factor authentication working for specific groups in Nextcloud. Enjoy this added layer of security for your on-premises cloud solution.
