OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: kapara on October 27, 2016, 07:20:09 pm

Title: 2fa with Google Auth
Post by: kapara on October 27, 2016, 07:20:09 pm
I am curious how this works.  Is the two factor communicating directly with Google or does this service work through a server hosted by opnsense.  If I change the firewall name or domain in the firewall will it break the 2fa as in google auth app it says fadmin@OPNsense

Also if the backup is disabled to force login with 2fa if for some reason I am unable to login again is there a way to disable from SSH or console so that I can get back in?
Title: Re: 2fa with Google Auth
Post by: franco on October 28, 2016, 09:20:47 am
Hi kapara,

Today, we do not need Google anymore for this. The QR code is displayed using Javascript and you can find other TOTP-based apps in your phone's respective app store. I just tried it for the first time (not the author of that integration) and it works fine. I used the "Authenticator" app from iOS.

TOTP is a standard RFC, you can read about it here: https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

Tokens are time-based, they don't work for longer than 30 seconds. So when you have to log in again you need to use a new token.