Support for multi-factor authentication

Hi guys,

Firstly, we love your product, so thanks for the awesome work.

We currently hold a license for the server edition, and we’re keen to implement 2fa to secure our instance.

We’ve read a few different posts discussing 2fa, but wondered if there were any plans to implement 2fa in the server edition, or to support any sort of multi-factor auth (okta or duo)?

Thanks in advance,

1 Like

This has become a huge thing for us now as we are not only concerned about our own company data but we store a lot of customer sensitive stuff too.

Is there a 2FA product to stand in front of the Manager Server Version login to give some additional security please?

Back in Sep 2016

1 Like

2FA is now defacto standard in online applications that store sensitive data and not really sure why @Lubos still has not implemented this.

Anyone got knowledge or recommendation for any third party tool for 2FA to patch current Manager Server version?

I ended up solving this 2 different ways.

First, you can run a (local) freeradius instance with pam + google auth, and use this with apache2, or if you can manage your clients, you can use client cert auth as well.

Neither is perfect, but having no 2fa was not an option for us.

Hopefully one day 2fa can be integrated into manager.

Shout out if you need a hand with config(s) etc for either of the above, but I’m sure your google foo will cover it :slight_smile:

Cheers I may call out thank you. Just looking at MiniOrange which talks about a radius deployment Two-Factor Authentcation (2FA) for Apache Web Server

Yup, same technique, but would highly recommend freeradius.

Is good and must feature. Hope @lubos will look at this topic.
Thanks

1 Like

yes please we need this ASAP. thanks

1 Like

Added to the latest version (24.2.15)

This can be enabled on per-user basis. Under Users tab, when clicking on any user (except for administrator), you will see new checkbox.

image

When this checkbox is checked and user with this option enabled is trying to log in, they will see the following notice the first time they try to log in:

image

They can use Google Authenticator, Authy or some other similar app to set up multi-factor authentication.

The next time they try to log in, they will see:

image

10 Likes

This is a step forward but the most vulnerable account is the Administrator account and a solution is needed more urgently than users.

1 Like

That’s fantastic, thanks @lubos

As @eko mentioned, adding to the Administrator account is also important, but its a massive improvement.

Thank you for your hard work.

Great improvement @lubos ! Another milestone added !

I totally agree with @eko to have this feature also available for the Administrator account.

(just to note: I just checked that - Cloud ver. 24.2.15.1305- and it is also available for users with role “Administrator” except only for the main account of Administrator)

Thank you @lubos for this great improvement.
My humble suggestion,
As we already have this 2FA feature,
I think it may get it’s full benefit by implementing the related feature already in ideas mentioned below;

Because normally the staffs, they simply try to close the browser in the evening and open in in the morning without need for log in. In between anyone access the computer will get the chance to do anything in the account under the user’s name.

Updated Server version, enabled users for the 2FA and it worked seamlessly - a Big thank you.

i installed google authenticator , scanned the barcode, i received a code

then i deleted authenticator app on purpose , now i cant see the code

how should i receive the code again?

should i ask admin again to do any steps?

Yes, assuming you are using Cloud or Server version of Manager:

  • Just get you Manager Administrator to login and remove the “Enforce multi-factor authentication” tick box on your user account

  • You then log in as normal to Manager to confirm access without MFA enabled and OK

  • Then reinstall the Google Authenticator on your Device.

  • Request Manager Administrator to tick and re enable “Enforce multi-factor authentication” tick box on your user name
    image

  • Log in to Manager with your user name and Password

  • Use your device to add account to Authenticator by scanning the QR Code presented to you on first Manager login with Multi-Factor enforced

2 Likes

got it thank you

You gentlemen may consider this with regard to the production system’s “Administrator” account.

  • Set a very, very complex password for the “Administrator” account.
  • Then create a new account with “Administrator” Role privileges.
  • Name the new Admin account something else … Say “Manager”.
  • Now enable MFA for the new Admin account, in this example “Manager”
    image

Notes:

  • The Original Administrator account will for all intensive purposes no longer be used but will still be usable should it be resurrected with the long and complex password.
  • We have tested and introduced this to instances where the Ubuntu Server version of Manager is used.
  • Your new System Manager / Admin account can do all Manager functions you may need to achieve with MFA.
1 Like

This definitely would delay a brute force attack but it is far less secure than you think, even 2FA is no guarantee but at least survives brute force attacks. Any protection based on whatever complex password can be broken much easier than with more advanced protection features. Also Manager SQLite database would benefit from using an encryption extension. SSL is fine for online transmission purposes but the typical SQLite database is unencrypted and if one manages to gain access to it then there is a problem.

1 Like