2FA or two-factor authentication with cockpit

Feature
, ,
104

I left windows since light years now, really not confident nor expert, but do some antivirus/script blocker or no javascript module for browser could do this ?

105

merged :smiley: :slight_smile: :innocent: :wink: :upside_down_face: :slightly_smiling_face: :laughing: :grin: :heart_eyes: :star_struck:

please could you verify the work

2 Likes
106

We are proud to announce that the One time password feature to protect the login to cockpit is released…you simply have to update nethserver-cockpit and enable it for each user under the user’s settings page

https://docs.nethserver.org/en/v7/base_system2.html#two-factor-authentication-2fa

8 Likes
107

Kudos to @stephdl which did a tremendous job!!

5 Likes
108

@stephdl already implemented 2FA also for SSH with password authentication!

Kudos again!

6 Likes
109

it is possible to show the secret code too, not just the QRCode image ?
It is very practical with BitWarden and/or for freak who think it is possible to spoof QR Code.

Here an example from Nextcloud
image

110

cc @davidep, what do you think ?

@JOduMonT it is to store your secret outside of your mobile IIUC

1 Like
111

I think we could write the base32 secret, it is what we use to generate the url

112

Screenshot (46)
Screenshot (46)1010×383 27.1 KB

113

IIUC TOTP key is an equivalent of the QRcode… In this case I’d expect it has the same style of QRcode and Backup codes fields, with a circled “i” that briefly explains what to do.

114

sometimes less is more, isn’t it :smiley:

115

And not implementing it at all: it is even better! :laughing:

1 Like
116

Joke apart, I use the TOTP key to make a wrapper in my terminal

/usr/bin/oathtool --totp -b JSLB2WRJAEU5I5TYUHUG4W2QWZQHNBL4

So I am not sure we need a lot more works.
People would like also a way to save the key, but in that case we need to save the hex key because it is what we use in .2fa.secret

So maybe it would make more sense to display the hex key

117

I installed BitWarden: it has the QR scan function too. Isn’t that simpler than typing the secret?

I still don’t get the purpose of showing that complex secret in a human-readable form… Can you explain?

Sometimes it is true :slight_smile: In this sense and only if the raw TOTP secret is really needed we could list it (or maybe multiple formats of it) in the “popover” text description:

image

/cc @edoardo_spadoni

1 Like
118

Actually the otp key can be found in the user’s home: Find the OTP pin in your terminal

2 Likes
119

Yes I know, sadly on my, what we call a phone (Note4), when BitWarden open the QRCode reader it result in an impromptu error 239

Personally I’m fine with if the secret code is accessible only via CLI

@stephdl I probably misunderstood but I can’t find any .2fa.secret since 2fa is not activated yet.

120

True, the key is saved only when enabled

1 Like
121

Did you try FreeOTP?

122

4 posts were split to a new topic: Protect roundcubemail with otp

123

I think I understand your thought such as:

  1. launching the 2FA with FreeOTP
  2. retrieving the .2fa.secret
  3. add it into my bitwarden

:wink:

2 Likes