2FA for openVPN using Google Authenticator with self registration?
We are setting up openVPN for our users and are thinking of using Google Authenticator for the 2FA. Most of our employees are offsite and the initial registration with Google Authenticator poses an issue. For our users to register their Google Authenticator app they need to scan a QR code. The QR code is displayed in the pfsense web interface upon creating the user along with a warning that "The image can be saved and shown to a user, but treat it as a secure piece of information and do not send it through an insecure channel such as e-mail".
This leads me to a few questions:
Is the QR code valid for more than one activation? (could someone activate more than one device with it?)
Is there a limited time that the QR code remains valid? (once I Generate the QR code for a user do they have a set amount of time to activate before the QR code is no longer valid?)
Is there any method of self service registration when using Google Authenticator with openVPN where the user logs in the first time (preferably with a one time code) and is forced to register their mobile device with Google authenticator for future
If self service registration is not an option, what other methods have other admins used to get remote users registered when using openVPN with Google Authenticator?
Any suggestions would be helpful
Moved this to packages since the questions you are asking are more relevant to the FreeRADIUS package support for Google Authenticator than OpenVPN.
- It can be used multiple times, it's no different than manually entering the OTP configuration in a similar tool such as Authy or Bitwarden manually, but more convenient.
- No time limit, it's just a QR code version of the user configuration data.
- Nothing in pfSense directly. Other RADIUS servers may have options for things like that. Check around for things like daloradius which may have plugins for what you want. You can then point the auth at that external RADIUS server and let it handle the user auth and OTP.
Any time you rely on the user to "self-register" or similar terms for their own VPN setup, it's weakening security. Yes, managing users and VPN configurations is a chore, but anything that makes it substantially easier almost certainly makes it more open to attack or abuse.