Two-factor authentication adds a second check after the account password, so a stolen password alone is not enough to open the Nextcloud account. Time-based one-time password apps are the common choice because they work without a hardware key and can be verified immediately during setup.
The Security settings page controls personal two-factor providers. Enabling TOTP creates a secret for the authenticator app, asks for a test code, and then requires the code on the next sign-in.
Set up app passwords before enabling two-factor authentication for accounts that use desktop sync, mobile sync, WebDAV mounts, or other third-party clients. Those clients cannot complete an interactive second-factor prompt and should use a dedicated app password instead.
Create app passwords for clients that need continued access after two-factor authentication is enabled.
Related: How to create a Nextcloud app password
Do not save the TOTP secret in screenshots, tickets, or shared notes. Store recovery material only in an approved password manager or secure recovery location.
An administrator can also verify the provider state from the server shell.
$ sudo -E -u www-data php occ twofactorauth:state ada Two-factor authentication is enabled for user ada Enabled providers: - totp