Double authentication and emergency account

[mc.gyver.reboot]

Hello,

I want to put double authentication on my OPNSense but I read in the documentation that once activated, no account without 2FA can connect.
Do you have a solution for emergency access accounts, in case the authentication server is no longer reachable?

Thank you for your help !

[Mks]

Hi, may this helps: https://docs.opnsense.org/troubleshooting/password_reset.html?

Br

[mc.gyver.reboot]

Hi, unfortunately this does not answer my question.
My problem is that if double authentication is enabled, I cannot create an account without MFA, which gives me a problem because we need to create an "emergency" account without MFA in the event that double authentication is n is not available.
Do you have a solution?

[franco]

What's your recovery strategy?

Typically you can set the console to unlocked for recovery purposes or disable integrated authentication, which allows you to log into console, ssh or sudo with password and not MFA.

If you want this for the GUI that is impossible (and insecure).


Cheers,
Franco

[Patrick M. Hausen]

I'd suggest ssh with key.

[franco]

Right, didn't even come to mind as that should be the case always. :)


Cheers,
Franco

[mc.gyver.reboot]

Thank you for your help, so I think what we want to do is therefore impossible.

[franco]

I suppose eventually a strategy is to either use an external auth (that includes os-freeradius) on the same box, but has some added risk for emergence accounts when the network or software is not responding.

The risk-free approach would be to have multiple "local authentication" servers that you can hold accounts so that these accounts do not reach out to 2FA, but that would be the first request I've heard and likely not within core scope.

That being said, it's possible to create a plugin for this from the existing authenticators and a user selector added, but it will likely not meet inclusion standards for core and plugins repositories.


Cheers,
Franco