Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 Factor Authenication

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 7 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Darkk
      last edited by

      It seems 2 Factor Authentication is becoming more and more the norm to add extra layer of security.  Any plans to add something like Google Authenticatior to the admin login page pf pfSense?

      2 Factor authentication with SMS is no longer desired so thinking Google Authenticatior would be better.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • MikeV7896M
        MikeV7896
        last edited by

        I wouldn't mind seeing this either… with some US Government agencies requiring contractors to secure their own systems and networks with 2FA (the company I support is going through this transition now), this could become a requirement for some companies. Certificate-based (i.e. smart card) login would be good too, but I think starting with some kind of TOTP (time-based one time password) system like Google Authenticator might be a good way to go.

        The S in IOT stands for Security

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66
          last edited by

          I hate SMS based 2FA. It requires wireless connectivity and SMS has been shown to be easy to snoop on for people in the know.

          1 Reply Last reply Reply Quote 0
          • MikeV7896M
            MikeV7896
            last edited by

            @Harvy66:

            I hate SMS based 2FA. It requires wireless connectivity and SMS has been shown to be easy to snoop on for people in the know.

            Google Authenticator (and other TOTP implementations)  isn't SMS-based (Google does also offer SMS-based TOTP for their own services, but that's not what either of us are referring to). There's a mobile app that runs that updates with a new code every 30 seconds. Of course, it does require that the system have relatively accurate time, so NTP would be a must if using a TOTP solution.

            I use the Google Authenticator app for accounts I have with Microsoft, my VPS provider, Amazon, and a Wordpress installation I manage. I also used it with Google before they changed their 2FA method to now use a simple verification through the Google search app, also on my phone.

            The S in IOT stands for Security

            1 Reply Last reply Reply Quote 0
            • P
              Paint
              last edited by

              We can also use an app like Authy, which integrates with Google Authenticator but works with other 2FA apps.

              https://www.authy.com/

              pfSense i5-4590
              940/880 mbit Fiber Internet from FiOS
              BROCADE ICX6450 48Port L3-Managed Switch w/4x 10GB ports
              Netgear R8000 AP (DD-WRT)

              1 Reply Last reply Reply Quote 0
              • U
                ultimateon
                last edited by

                Wouldn't this be counter productive though?
                It would be opening up areas of attack.

                As a security measure unless you intend to expose your routers configuration to the outside web (and even then it still seems silly for you to expose the config page to your local network).
                It's just one of those superfluous things.

                Because you can just SSH(using keys+password) and forward the port from your internal configuration VLAN to your device.

                2 Factor authentication is already present in SSH ( Kinda) it just seems a feature that would open up holes in your security.
                Imagine if you lost your authentication device and it also had the IP/Domain and the login info in it and you weren't returning home/work in the following days to fix the security fault?

                It seems like adding unnecessary feature because by default you're not going to be logging in to your router/firewall from unsecured networks are you?

                1 Reply Last reply Reply Quote 0
                • D
                  Darkk
                  last edited by

                  @Paint:

                  We can also use an app like Authy, which integrates with Google Authenticator but works with other 2FA apps.

                  https://www.authy.com/

                  I use this app as well and works great on my phone.

                  1 Reply Last reply Reply Quote 0
                  • D
                    Darkk
                    last edited by

                    @ultimateon:

                    Wouldn't this be counter productive though?
                    It would be opening up areas of attack.

                    As a security measure unless you intend to expose your routers configuration to the outside web (and even then it still seems silly for you to expose the config page to your local network).
                    It's just one of those superfluous things.

                    It seems like adding unnecessary feature because by default you're not going to be logging in to your router/firewall from unsecured networks are you?

                    The idea behind the 2 factor authentication is to make it harder for brute force attack if someone somehow gotten inside your network or some disgruntled employee at work know some passwords about your servers and equipment.  Obviously bad security practice if folks outside of IT know the passwords either not keeping it secure or rarely ever change it.

                    It would be an option not to use it so either way why not have it?

                    1 Reply Last reply Reply Quote 0
                    • W
                      W4RH34D
                      last edited by

                      Well Blizzard lets me approve logins with the push of a button on my apple watch.  But they have endless development funds to play with.

                      Did you really check your cables?

                      1 Reply Last reply Reply Quote 0
                      • jdillardJ
                        jdillard
                        last edited by

                        @Harvy66:

                        I hate SMS based 2FA. It requires wireless connectivity and SMS has been shown to be easy to snoop on for people in the know.

                        The US National Institute of Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban on SMS-based Two-Factor Authentication (2FA):

                        http://news.softpedia.com/news/nist-prepares-to-ban-sms-based-two-factor-authentication-506617.shtml

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.