TOTP access

[tomlawesome]

I have to say, I really don't understand the implementation of TOTP in OPNsense? Why does the token use the same field as the password? It would be much more user friendly/intuitive for there to be two separate fields, one for each code and appropriately labelled.

I have never seen an implementation like this and I thought I was locked out of my system. I even flashed a USB drive to reinstall! In hindsight, I re-read the docs and it *does* say that you use the system like this, and that's OK. I'm just asking if there's a technical reason or some big challenge to do it with separate pass/OTP fields?

My coding ability is rudimentary, but it seems like something an experienced coder would be able to do simply?

This is meant as constructive criticism -- I am very impressed with OPNsense and grateful for the hard work of all involved.

Thanks again for the great product 

(Sorry if this has been posted before, I tried to search)

[franco]

Hi there,

The reason is that console login, SSH, OpenVPN and IPsec amongst others do not have a third input using the user/password combination. I believe that is not all too uncommon in existing implementations.


Cheers,
Franco

[tomlawesome]

Thanks for reply Franco, that does make sense.

Is there no way to code the web GUI so that it combines the two input fields into one before querying the user permissions database? I appreciate this may not be possible due to security with passwords, and that there's likely much more important areas to focus development.

[franco]

It's possible but there is no high demand and making one part that not a lot of people see (admin GUI) more flexible with an option to show a third field to not sideline other installation has to be put into perspective:

The problem is what technical problem does it fix and is the work going into solving that technical problem worth the effort. My feeling is it is not.


Cheers,
Franco

[Obeng]

I absolutely agree with your last statement but I would like to present a more practical use case.Captive portal, making use of LDAP + TOTP. Most regular end users are not used to entering the password and token in the same field.And in the case of "Token + Password" , the token may expire before typing the password if the password is a long one.If there is a work around I could do myself I would really appreciate

[franco]

If you adjust the template in the captive portal it's not a hard thing to do...


Cheers,
Franco

[errored out]

Oben, I have seen / experience this issue before.  At first I agreed with the same way of thinking you had, until I found a easy change. 

TOTP is configured to be entered first then the password as you know.  Opnsense has a setting which allow the 6 digit TOTP to be entered behind the password (last 6 characters).  This will allow users to have the user name and password entered and sitting on the page until they want to entered in the TOTP. 

A user can have their credentials entered, walk away (just joking) and when they come back, enter in their TOTP without any issues from a time delay.

If that does not work, the MFA server can be set to accept TOTP X seconds after it have expired.

[Obeng]

I've not been here in a while. @franco you are absolutely right. I talked to some developers and they solved it in seconds.We have a working separate token field now. Thank You very much

[franco]

Nice to hear that, thanks for reporting back