[SOLVED] FR OTP Authentication in extra field on login and fallback settings

[Andreas]

Hi,
would be nice if the OTP is in a extra input field and that the fallback settings could be change like that not just only its possible to choice what is the fallback, it should be possible to determine on which scenario it comes to a fallback.
actually otp works - but the fallback seems to be possible every time

[franco]

Hi there,

So the story is that after adding OTP we actually realised that there was an automatic fallback to local auth. We didn't know about it before and it's really obscure although it can save a few people from locking themselves out.

https://github.com/opnsense/changelog/blob/master/doc/16.1.15#L13




Cheers,
Franco

[Andreas]

ok - so my request would be to make it configable under which condition the fallback will happen.

and the extra input field for the otp

thx

[franco]

How would that look like?

[Andreas]

just a second input
acutally you combine otp + password
i think this makes a lot of people confuse (normal user, not admins)

just a second input field named "otp" which just wil be shown if otp is activated

fallback could be btw a another password with a higher complexity... instead of just local auth

conditions:
perhaps you just can use the fallback via a special link (just functional for a certain time) emailed to your email adress from the firewall.
condition would be 5 times wrong user/pw combination...

[franco]

I don't understand... How does it differ from what we have in 16.1.15 now?

http://imgur.com/kuZvGif

[Andreas]

that the fallback is possible.. but not normally possible.
if you activate the fallback local otp is not really helping security
if you could activate local as fallback but you need a special links which opens a short timed session you can use your normal local as fallback but secured

[Andreas]

btw - there do i get the voucher code for auth?