I was curious if it would be possible to add 2fa when accessing https://my.nethserver.com/. There exists sensitive information that is accessible for each registered server (like Public IP, RDNS Lookup, internal lan IP info) and I’d feel much more comfortable knowing there were optional extra safeguards that can be deployed to protect that information.
Happy Monday NS community. I wanted to bump this again and kindly request the implementation of 2fa on web portal access at https://my.nethserver.com/ for renewing/lapsed and new NS installs. Insurance companies are not giving much choice for compliance and I don’t want to be reactive to any requirements they leverage my way.
We did a couple of tests and it’s quite easy to add the 2FA to my.nethserver.com.
But the change will impact all users: every current user of my.nethserver.com will need to configure 2FA on next login.
This is a limitation of the current framework (auth0) and there is no workaround for it.
We like the idea to improve the site security by enabling 2FA, but can this change cause problems to less skilled users?
Should we enable 2FA for everyone or not? What do you think?
If I think, that I always have to 2FA when I login to my NS, I’d go nuts with it.
For sure, 2FA would improve security. But IMO it’s only needed if you need to login from outside (internet).
Login from internal network only would need 2FA in really large environments.
NS ist designed for SMB. In german it’s like “shooting sparrows with cannons” or “use a sledgehammer to crack a nut” or …
Is there a posibility to give it as an optional? Like enable/disable 2FA?
So everyone can decide if it’s neede for the specific network.
We are talking about login to my.nethserver.com, to manage subscriptions, alerts, etc.
Also, when 2FA is enabled, at login you can choose to trust your browser/computer, so that the second factor will not be asked any longer.
Due to the need to receive an invoice for my purchase, I need to provide my login credentials to a third party vendor for him to log in and pay the subscription (with credit card).
Because he does the process on his own time,
Should he also have an app for 2FA or he would have to call me to request the 2FA access code right?
This leads me to ask:
How many minutes or seconds of grace are there to achieve correct use of the 2FA verification code? In the short time I have used it elsewhere (Synology) it seems to be a matter of seconds (very annoying).
Hello giacomo, I suppose it depends on what sort of 2FA you plan to implement. I like the idea that you can trust certain browsers. What happens if I rebuild the PC that had the trusted browser? You could use a cell phone number, but I guess that would mean a cost to the Nethserver team.
What about using some sort of strong password and asking for specific characters from the password?
I have no strong opinion either way. I’m happy with the current system.
I don’t care one way or the other of how it is implemented so long as it is offered as an option. I found it ironic that the forums offered this service where as the financial/critical info of my nethserver.com did not. At the end of the of the day NS the company are the ones who are in front of their insurance providers and I can tell you mine no longer will underwrite policies for my SMB unless MFA is available & enforced.
Thank you @giacomo for following up with this, I appreciate it.
EDIT - I should clarify this is related to digital/cyber insurance.
I recently logged in to renew subscriptions of our nethservers (already a year passed, crazy). And to be honest I had to hit forgot password. So if mandatory 2fa should be implemented, I think we need an easy workaround to be able to reset the login information. But thanks a lot for working on improving and securing even more the great solution that nethserver already is. We really appreciate!
Thank you. I just wanted to make sure that I was clear I am advocating for the availability of 2FA, not enforcing it site wide. That being said the above solution should work for me, can you point me in the right direction on how to implement this?