[Solved] 2FA still not implemented for the GUI in 16.1.15?

[interfaSys]

Update: It's working, but it's just non-standard from my pov, so I've opened a Github issue: https://github.com/opnsense/core/issues/966

-----------
I've followed the documentation and generated a code for the root account, but I'm never presented a form to enter my OTP code after my password has been validated.

Is this feature not yet available?

[interfaSys]

When using the tester and selecting TOTP Server, my login/password for root is rejected: Authentication failed.

[interfaSys]

Just re-read the how-to and now I see that the auth process works as described, but not as expected:

add the created token/key before your regular password

This should really change and users should be presented with a new page on which they enter their OTP password.

https://github.com/opnsense/core/issues/966

[Andreas]

its like my thinking

https://forum.opnsense.org/index.php?topic=3098.0

[interfaSys]

Indeed

It was explained on Github that the reason for doing it like this is because there is one auth system which should work with everything, not just the GUI, so it's understandable, even if usability suffers a bit.

[Andreas]

in the login, so i think its not really so bad...
just two input fields.. one for password, one for otp... its just simplier to explain to the user
the script on the site could combine it...

is it right that the otp is even usefull for the OPENVPN auth?

[interfaSys]

in the login, so i think its not really so bad...
just two input fields.. one for password, one for otp... its just simplier to explain to the user
the script on the site could combine it...

That would be an improvement, but if the OTP password has to be used somewhere else, then you would have to teach people 2 ways of inserting the information.

is it right that the otp is even usefull for the OPENVPN auth?

I'm not sure where exactly this will be used, but VPN seems to be like an obvious one

[Andreas]

But if they can be combined in the login they would be in the cookie/database for this session and the user is logged in- or am im false?
its just the way of inserting.. nothing else...
2 fields would be simple... i tested it with 3 different user no one could really good handle it with writing first the otp and the password fast enough to get logged in

if its possible to set the auth for openvpn in combination with otp would be a dream...

[interfaSys]

But if they can be combined in the login they would be in the cookie/database for this session and the user is logged in- or am im false?

Yes, but remote workers needing to login will use OTP+password to create the VPN connection.

i tested it with 3 different user no one could really good handle it with writing first the otp and the password fast enough to get logged in

Same problem here, but as a workaround you can begin by typing your password and then type the OTP code at the beginning.

[Andreas]

Yes, but remote workers needing to login will use OTP+password to create the VPN connection.

...
Same problem here, but as a workaround you can begin by typing your password and then type the OTP code at the beginning.

I think for VPN its perfect... the people i got who uses vpn have to learn it.. its sensitive and i think this way is very ok.
but for the normal user- login in the portal to get a voucher for customers of the hotspot or changing the password its not really nice...

for my thinking its a "simple" stretching the input in two fields and combining the otp+password in the https secured server script?!

for the midterm i would prefer a solution like sophos shows
https://sophserv.sophos.com/repo_kb/120324/image/screen_otp5.png
refer https://www.sophos.com/de-de/support/knowledgebase/120324.aspx

[interfaSys]

From the UTM doc

With OTP it will be: <password><onetime pass-code>  (e.g. password128363)

[Andreas]

right- my mention was more on the menu to have the option where it is needed...

for example joomla login with otp looks like

"Sicherheitscode" is german and means the otp here


btw. - i think the fallback is realized here nicely