Firstly, we love your product, so thanks for the awesome work.
We currently hold a license for the server edition, and we’re keen to implement 2fa to secure our instance.
We’ve read a few different posts discussing 2fa, but wondered if there were any plans to implement 2fa in the server edition, or to support any sort of multi-factor auth (okta or duo)?
First, you can run a (local) freeradius instance with pam + google auth, and use this with apache2, or if you can manage your clients, you can use client cert auth as well.
Neither is perfect, but having no 2fa was not an option for us.
Hopefully one day 2fa can be integrated into manager.
Shout out if you need a hand with config(s) etc for either of the above, but I’m sure your google foo will cover it
This can be enabled on per-user basis. Under Users tab, when clicking on any user (except for administrator), you will see new checkbox.
When this checkbox is checked and user with this option enabled is trying to log in, they will see the following notice the first time they try to log in:
They can use Google Authenticator, Authy or some other similar app to set up multi-factor authentication.
Great improvement @lubos ! Another milestone added !
I totally agree with @eko to have this feature also available for the Administrator account.
(just to note: I just checked that - Cloud ver. 24.2.15.1305- and it is also available for users with role “Administrator” except only for the main account of Administrator)
Thank you @lubos for this great improvement.
My humble suggestion,
As we already have this 2FA feature,
I think it may get it’s full benefit by implementing the related feature already in ideas mentioned below;
Because normally the staffs, they simply try to close the browser in the evening and open in in the morning without need for log in. In between anyone access the computer will get the chance to do anything in the account under the user’s name.
You gentlemen may consider this with regard to the production system’s “Administrator” account.
Set a very, very complex password for the “Administrator” account.
Then create a new account with “Administrator” Role privileges.
Name the new Admin account something else … Say “Manager”.
Now enable MFA for the new Admin account, in this example “Manager”
Notes:
The Original Administrator account will for all intensive purposes no longer be used but will still be usable should it be resurrected with the long and complex password.
We have tested and introduced this to instances where the Ubuntu Server version of Manager is used.
Your new System Manager / Admin account can do all Manager functions you may need to achieve with MFA.
This definitely would delay a brute force attack but it is far less secure than you think, even 2FA is no guarantee but at least survives brute force attacks. Any protection based on whatever complex password can be broken much easier than with more advanced protection features. Also Manager SQLite database would benefit from using an encryption extension. SSL is fine for online transmission purposes but the typical SQLite database is unencrypted and if one manages to gain access to it then there is a problem.