@fu #TOTP is the proper way of doing #2FA, your mobile device (or local computer, see my script at f.haeder.net/2fa.sh ) stores the secret keys, no mobile number needed. #Nextcloud provides TOTP, by notifications (accept/reject) and by email. If you don't enable it, someone only need to guess your password and can login. Here on my instance that person won't come far, including that my password is unique here.