2 Factor Authenication

Darkk · Jul 27, 2016, 2:20 AM

It seems 2 Factor Authentication is becoming more and more the norm to add extra layer of security. Any plans to add something like Google Authenticatior to the admin login page pf pfSense?

2 Factor authentication with SMS is no longer desired so thinking Google Authenticatior would be better.

Thanks.

MikeV7896 · Jul 27, 2016, 12:01 PM

I wouldn't mind seeing this either… with some US Government agencies requiring contractors to secure their own systems and networks with 2FA (the company I support is going through this transition now), this could become a requirement for some companies. Certificate-based (i.e. smart card) login would be good too, but I think starting with some kind of TOTP (time-based one time password) system like Google Authenticator might be a good way to go.

Harvy66 · Jul 27, 2016, 12:07 PM

I hate SMS based 2FA. It requires wireless connectivity and SMS has been shown to be easy to snoop on for people in the know.

MikeV7896 · Jul 27, 2016, 12:23 PM

@Harvy66:

I hate SMS based 2FA. It requires wireless connectivity and SMS has been shown to be easy to snoop on for people in the know.

Google Authenticator (and other TOTP implementations) isn't SMS-based (Google does also offer SMS-based TOTP for their own services, but that's not what either of us are referring to). There's a mobile app that runs that updates with a new code every 30 seconds. Of course, it does require that the system have relatively accurate time, so NTP would be a must if using a TOTP solution.

I use the Google Authenticator app for accounts I have with Microsoft, my VPS provider, Amazon, and a Wordpress installation I manage. I also used it with Google before they changed their 2FA method to now use a simple verification through the Google search app, also on my phone.

Paint · Jul 27, 2016, 1:11 PM

We can also use an app like Authy, which integrates with Google Authenticator but works with other 2FA apps.

https://www.authy.com/

ultimateon · Jul 27, 2016, 1:48 PM

Wouldn't this be counter productive though?
It would be opening up areas of attack.

As a security measure unless you intend to expose your routers configuration to the outside web (and even then it still seems silly for you to expose the config page to your local network).
It's just one of those superfluous things.

Because you can just SSH(using keys+password) and forward the port from your internal configuration VLAN to your device.

2 Factor authentication is already present in SSH ( Kinda) it just seems a feature that would open up holes in your security.
Imagine if you lost your authentication device and it also had the IP/Domain and the login info in it and you weren't returning home/work in the following days to fix the security fault?

It seems like adding unnecessary feature because by default you're not going to be logging in to your router/firewall from unsecured networks are you?

Darkk · Jul 27, 2016, 6:17 PM

@Paint:

We can also use an app like Authy, which integrates with Google Authenticator but works with other 2FA apps.

https://www.authy.com/

I use this app as well and works great on my phone.

Darkk · Jul 27, 2016, 6:21 PM

@ultimateon:

Wouldn't this be counter productive though?
It would be opening up areas of attack.

As a security measure unless you intend to expose your routers configuration to the outside web (and even then it still seems silly for you to expose the config page to your local network).
It's just one of those superfluous things.

It seems like adding unnecessary feature because by default you're not going to be logging in to your router/firewall from unsecured networks are you?

The idea behind the 2 factor authentication is to make it harder for brute force attack if someone somehow gotten inside your network or some disgruntled employee at work know some passwords about your servers and equipment. Obviously bad security practice if folks outside of IT know the passwords either not keeping it secure or rarely ever change it.

It would be an option not to use it so either way why not have it?

W4RH34D · Jul 27, 2016, 6:24 PM

Well Blizzard lets me approve logins with the push of a button on my apple watch. But they have endless development funds to play with.

jdillard · Jul 27, 2016, 6:57 PM

@Harvy66:

I hate SMS based 2FA. It requires wireless connectivity and SMS has been shown to be easy to snoop on for people in the know.

The US National Institute of Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban on SMS-based Two-Factor Authentication (2FA):

http://news.softpedia.com/news/nist-prepares-to-ban-sms-based-two-factor-authentication-506617.shtml