Yesterday I spent an hour setting up my #NextCloud for #2FA and here is what I learned:
1. Nextcloud has official apps for both timebased OTP and FIDO U2F.
2. There's also a Yubikey one, but installing security related stuff from SomePersonOnGithub™ feels weird.
3. TOTP still feels like magic even if you know how it works. (Two devices, knowing only a shared secret but otherwise not communicating, will forever agree on continually changing sequence of numbers? 
)
4. #KeepassXC, my #PasswordManager of choice, can save TOTP secrets and then also generate TOTP codes during autotype! 
5. There are a couple of free OTP apps out there and they work well, even if your camera is too broken to scan QR Codes.
(See, #Briar? It could be SO EASY! 
)
@minx I assume that you are referring to this app https://apps.nextcloud.com/apps/twofactor_yubikey. I saw them now for the first time when explicitly searching for "yubikey". Not sure if there is any notable differences, but I would recommend this app: https://apps.nextcloud.com/apps/twofactor_u2f That's the officially supported one.
@bjoern Hello Random Internet Dude I've Never Interacted With Before™!
Thank you for the Recommendation For A Thing I Didn't Ask For™ and, furthermore, was already aware off, which you could have guessed by reading my post, since I Explicitly Mentioned The Thing You Recommend Me™!
I thus present you the Mansplainer Of The Day award 🎖 and a nice comfy place on my ignore list.
@minx I set up mine a little while ago. It's a shame that I have to set up app specific passwords for the mobile/desktop clients though. But that's the balancing act of security/usability, right?
@GigaByte4711 True, though I don't mind the app passwords, especially since nc supports a (tiny bit of) access control, in that you can say that, for example, the app password you use for your calendar sync doesn't really need file system access.
(I am pretty miffed that any change in user password breaks all app passwords without warning, tho.)
@minx It does!? I did NOT know that. Thanks for the heads up there! I also stupidly enabled the wrong kind of encryption, so now I can't use the in-browser office document editor. It would need a full decrypt and rebuild. 😣
@GigaByte4711 Yeah, apparently there's an 18 month old bugticket about it, but so far it isn't fixed.
@minx Huh. I'll just have to treat it as a "feature".
My userbase is tiny, so it's not too bad. You'd think they'd have the ability to implement a secondary prompt, like Oauth can do, so that you can use your 2FA to log in. 🤔
@GigaByte4711 Dunno, nextcloud is basically a webdav server and I don't thing there's actual 2FA for that, so app passwords make sense here.
What I don't get is why they went with a direct relationship between user password and app password, instead of, dunno, "Generate random string, concatenate it with app pasword name, save hash, done". Since they have to save "Generated app pasword with name <something>" anyway...
@minx True. Surely it wouldn't be difficult to hold the generated app passwords in an array in a database either, separate from the user password? I suppose that's what pull requests are for!
@GigaByte4711 Yeah, though with things that seem so "easy" I prefer to assume I'm missing something, like, some interaction with other authentication systems they are supporting (LDAP? Dunno) that might make this harder?
Eh, whatever, I don't know any PHP so I can't really help with implementing anything and talking as a user with developers has made me ... tired, oh so tired in the past. Might engage them on GH someday, but the dev sliding into my mentions earlier did not endear them to me.
@minx is it worth it?