Text only | Text with Images

OPNsense Forum

English Forums => 26.1 Series => Topic started by: opnessense on March 09, 2026, 05:14:59 PM

Title: Feature Request: FIDO2 / WebAuthn (YubiKey) support for WebGUI login
Post by: opnessense on March 09, 2026, 05:14:59 PM
Hi all,
with the latest OPNsense releases I'm reviewing my access security and I'd like to officially propose FIDO2 / WebAuthn support for WebGUI login.

I already use YubiKeys as a strong authentication method on other platforms in my homelab, and I would really like to have a similar experience on OPNsense as well.

I'm aware that OPNsense currently supports TOTP-based 2FA ("Local + Timebased One Time Password"), which works fine and can also be used with a YubiKey as TOTP generator, but the workflow I'm interested in is the more modern security key flow:

WebGUI login with username + password + YubiKey FIDO2/WebAuthn

optional security key PIN + physical touch as the second factor

ability to associate multiple security keys per user (primary key + backup key)

ideally, the option to enforce security key use at least for admin accounts.

I see there is already an open issue for FIDO/FIDO2/U2F support in the core, and some older forum discussions about this topic, so I'd like to add my voice and renew interest in this feature. There are users (like me) who are already using FIDO2/WebAuthn on other infrastructure components and would like to align OPNsense firewall access with the same security level.

For my use case this would be a major hardening step for WebGUI access, especially in scenarios where the admin may log in from trusted but not strictly "personal" machines.

Thanks a lot for your great work and for considering this feature request.
Title: Re: Feature Request: FIDO2 / WebAuthn (YubiKey) support for WebGUI login
Post by: Monviech (Cedrik) on March 09, 2026, 05:53:48 PM
Ideally you could use the business edition with OpenID Connect support and an identity provider that supports the auth scheme you require. Im assume there is some OIDC provider who offers Yubikey support.
Title: Re: Feature Request: FIDO2 / WebAuthn (YubiKey) support for WebGUI login
Post by: opnessense on March 12, 2026, 09:50:19 PM
Thanks for the OIDC + Business Edition suggestion—it's a solid workaround for licensed users.

However, my focus is the free core edition for my homelab. I'd prefer native FIDO2/WebAuthn for:
- Simple login without external IdP (zero cost/dependency)
- Direct multi-key registration per admin user
- Seamless integration with existing Local + TOTP flow

Keycloak/Authelia work great, but for a standalone firewall, I'd rather avoid added complexity. Any updates on the open FIDO2 core issue? [@dev team]

Do you agree it deserves priority?
Text only | Text with Images