Hey staff, this is more of a question/feature-request than anything else but I'd like to offer cloud hosting to my clients. The catch is that the reason we're not using other cloud hosting solutions is precisely that they have concerns about security (they work on relatively sensitive customer data, and much of their work requires signing an NDA).
I know the Web Interface would automatically be a no-go with this kind of data security, but they're honestly never going to use it. The ideal behavior would be for the service to generate a keyset for device and permissions management to limit the devices it can be used on, or requesting a code from, say, Google Auth or similar. (In which case the web interface can work, too!)
You can set more detailed permissions depending on the device, location, ... with the file firewall which ownCloud only provides in their enterprise version: https://owncloud.com/community-or-enterprise/
You might want to look at the privacyIDEA ownCloud App. Add 2FA to the web interface/login and you can centrally define which authentication device (Smartphone App, U2F, Yubikey...) belongs to which user. In addition you can use policies to define which kind of 2nd factor needs to be provided when authenticating from certain IP addresses.
