MFA for pfSense GUI
-
Sometimes is difficult to understand the ask.
The ask for 2FA is not to have a 2FA as such, the ask is to be compliant.
We can argue all day long why it is stupid or irrational, but without 2FA it will not be compliant product period.
Without compliancy the insurance cost will be prohibitive and potential customers will be walking away.
Now see it from the manager point of view: Sysadmin is arguing that PFSENSE is the great product and better than any other in the market, but it is not compliant. You trust your sysadmin, but you cannot do what he is asking, due to business requirements.
And yes, if you are sysadmin and your preferable product is not compliant or it is very difficult to implement/support you will sadly agree with the manager and move on to Fortigate or so. -
@revamp said in MFA for pfSense GUI:
The ask for 2FA is not to have a 2FA as such, the ask is to be compliant.
How is it not compliant. Perhaps its the way you are explaining the requirement because we have gone back and forth on this. Maybe theres a miscommunication here?
-
2FA is required to be compliant regardless of the context. Even more, now is a trend to have 2FA also for console access(not only web UI).
-
@revamp LOL, Well as long as you are aware that Palo Alto, the number 1 security vendor in the world and Pfsense would fail your requirement. I guess Fortigate wouldn’t?
-
I can understand devs not wanting to dedicate time to something like mfa.. but with passwordless becoming hot and FIDO being one of the only truly hack resistant authentications these days it’s got be become a serious consideration. That or you’re not worth your weight any longer in this day and age.
I also wonder how some of these people became moderators reading their interactions on this thread. People like that only detract from the serious discussions about growing threats out in the wild today. Heaven forbid someone’s asset gets compromised on the inside by any number of means (want me to start listing the top ten right now that would bypass your precious ‘walled off security’ fallacy?) which totally opens your fracking gui to someone who shouldn’t have access.. the only way this arrogant moderator is correct in his statement about mfa being a waste of time and the restrict access to a management network makes sense even back in ‘18 let alone today is if your entire network is air-gapped.
Arrogant high horse know it alls like this guy are why people get misinformed these days. Leave your prehistoric assumptions back in 1999 where they belong and start paying attention to the new reality we live in. If a real hacker and not some random script kiddie wants in they will find a way in. Stop making it easier for them by wagging the dog..
Sorry for the rant.. but after three major incidents in five years I can no longer tolerate the ignorance people peddle out as greater knowledge. If it were not for FIDO adoption after the first attack I doubt there would still be a company standing. -
TrueNAS supports 2FA natively, so it doesn't seem that hard to implement assuming it meets "requirements."
Not sure why there is so much resistance by Netgate and/or its "representatives." The only problem is most MFA methods assume you have cell service and/or physical access.
-
You can set up static IP access also. Mine only specific IP/MAC addresses can access the firewall GUI
-
@ivor one that does not allow you to skip the MFA part and still allows you to login with admin account without MFA
-
All,
FYI, OPNsense currently offers support for multiple forms of MFA authentication throughout the entire system (with one notable exception being console/ssh access).
Supported services are:
-OPNsense Graphical User Interface
-Captive Portal
-Virtual Private Networking - OpenVPN & IPsec
-Caching ProxySince the PFSense devs seem to think that because you login to your laptop with a username/password and the PFSense GUI interface also requires a username/password, that counts as MFA (no that does not).
Guess it's time to switch?Can't believe that this is even a discussion.
-
It isn't, this thread is over a year old.
-
S stephenw10 locked this topic on
