Two-factor authentication



  • What is the status of 2fa for Pfsense?


  • LAYER 8 Global Moderator

    As far as what?  Login to the gui, openvpn already has 2factor.  cert and username/password is 2fa



  • I would love support for Google authenticator
    Just saying  ;)


  • LAYER 8 Global Moderator

    for what the gui login?  Or openvpn? Or something else??  I am fairly sure I saw thread were someone was using google auth with linOTP and there is link to doc how to use OTP with pfsense mOTP

    https://doc.pfsense.org/index.php/Mobile_One-time_Passwords_with_FreeRADIUS

    Here is thread were person said they had it working with google auth.
    https://forum.pfsense.org/index.php?topic=95210.0

    But I want to state again that 2fa is already there just enable remote access (ssl/tls + user auth) Now user needs the cert and username and password = 2fa something they have, the cert and something they know username and password.

    While otp's are slick and all.. Who is going to be using this vpn?  So your goal is for nobody to actually use it ;)  Since the harder you make something to access the less likely users are going to actually use it..  There is security and there is just over the top pointless overhead to use a service.



  • Hehe, ok. I'll call it 3fa then (usr/pw/google authenticator token one-time key).
    And I was thinking about built-in support for GUI/SSH login. Basically access to pfSense.

    Maybe better to refer to it as: Multi-factor authentication (MFA)  ;D


  • LAYER 8 Global Moderator

    And it is already there for openvpn.  Why would you want/need it on the webgui?  From a security point of view putting pfsense in say an enterprise the only machines that should be able to access the gui would be from an admin/managment segment and would be specific IP machines.

    So now you have authentication to these machines needed, and then auth to pfsense.. This is mfa..  Allowing anyone and everywhere access to your webgui and then trying to lock it down with mfa is not the way to do it from a security point of view at all.  Controlled access to ever attempt to login to the managment interface would be the way to do it.

    I work with many firewalls, juniper, checkpoint, asa/pix, palo alto and never seen mfa on the management gui setup.  Nor has anyone every asked for it, etc.  Sure on vpn access have seen it a lot, but never to managment interface of a networking/security device because in a secured environment only authorized persons should have access to either the console since devices would be in a locked room and from network standpoint you don't make the webgui available to the user lan ;)

    If you need remote access to the gui, then vpn setup mfa to access the vpn and there you go, etc.



  • Hi John,

    I appreciate this wasn't done in the past but most of those models of firewall you state have turned up in the ShadowBroker NSA dump. Juniper, asa/pix, also fortinet, Hauwei. To my mind every small extra layer of security we can implement such as OTP on the GUI we should as network security devices are a key target. For someone like myself as an MSSP wanting to recommend pfsense to SMEs and then actively manage them it would be a nice to have. It's becoming standard on a lot of servers, honey platforms etc. Like long unique passphrases, password managers, as well as everything you mentioned in your posts. An attacker could completely pwn the terminal i use to connect and creds by they would need to have access to my iphone as well. every small layer adds another sometimes huge cost to an attacker than can make the difference, deter them and add weeks to their attack. Pfsense is a really solid bit of work these days, stable, small things like better clamav sigs & OTP and maybe a few more really help it compete with the increasingly security conscious.

    J


Log in to reply