2FA or two-factor authentication with cockpit

I left windows since light years now, really not confident nor expert, but do some antivirus/script blocker or no javascript module for browser could do this ?

merged :smiley: :slight_smile: :innocent: :wink: :upside_down_face: :slightly_smiling_face: :laughing: :grin: :heart_eyes: :star_struck:

please could you verify the work


We are proud to announce that the One time password feature to protect the login to cockpit is released…you simply have to update nethserver-cockpit and enable it for each user under the user’s settings page



Kudos to @stephdl which did a tremendous job!!


@stephdl already implemented 2FA also for SSH with password authentication!

Kudos again!


it is possible to show the secret code too, not just the QRCode image ?
It is very practical with BitWarden and/or for freak who think it is possible to spoof QR Code.

Here an example from Nextcloud

cc @davidep, what do you think ?

@JOduMonT it is to store your secret outside of your mobile IIUC

1 Like

I think we could write the base32 secret, it is what we use to generate the url

IIUC TOTP key is an equivalent of the QRcode… In this case I’d expect it has the same style of QRcode and Backup codes fields, with a circled “i” that briefly explains what to do.

sometimes less is more, isn’t it :smiley:

And not implementing it at all: it is even better! :laughing:

1 Like

Joke apart, I use the TOTP key to make a wrapper in my terminal

/usr/bin/oathtool --totp -b JSLB2WRJAEU5I5TYUHUG4W2QWZQHNBL4

So I am not sure we need a lot more works.
People would like also a way to save the key, but in that case we need to save the hex key because it is what we use in .2fa.secret

So maybe it would make more sense to display the hex key

I installed BitWarden: it has the QR scan function too. Isn’t that simpler than typing the secret?

I still don’t get the purpose of showing that complex secret in a human-readable form… Can you explain?

Sometimes it is true :slight_smile: In this sense and only if the raw TOTP secret is really needed we could list it (or maybe multiple formats of it) in the “popover” text description:


/cc @edoardo_spadoni

1 Like

Actually the otp key can be found in the user’s home: Find the OTP pin in your terminal


Yes I know, sadly on my, what we call a phone (Note4), when BitWarden open the QRCode reader it result in an impromptu error 239

Personally I’m fine with if the secret code is accessible only via CLI

@stephdl I probably misunderstood but I can’t find any .2fa.secret since 2fa is not activated yet.

True, the key is saved only when enabled

1 Like

Did you try FreeOTP?

4 posts were split to a new topic: Protect roundcubemail with otp

I think I understand your thought such as:

  1. launching the 2FA with FreeOTP
  2. retrieving the .2fa.secret
  3. add it into my bitwarden