Good Afternoon,
I was curious if it would be possible to add 2fa when accessing https://my.nethserver.com/. There exists sensitive information that is accessible for each registered server (like Public IP, RDNS Lookup, internal lan IP info) and I’d feel much more comfortable knowing there were optional extra safeguards that can be deployed to protect that information.
I think it can be done: we are using auth0 which already supports 2FA: https://auth0.com/docs/mfa
Of course, some changes are needed to enable it.
We will have an internal meeting on next days about subscription roadmap plan, we will share it with you as soon as we have a better idea in it 
Happy Monday NS community. I wanted to bump this again and kindly request the implementation of 2fa on web portal access at https://my.nethserver.com/ for renewing/lapsed and new NS installs. Insurance companies are not giving much choice for compliance and I don’t want to be reactive to any requirements they leverage my way.
Hi Royce, we had multiple meetings about the subscription program: we will keep it alive but we do not plan any update soon.
Regarding the specific request, I will try to ask it again to the team. Let’s see if this time we have a little more luck.
Thank you on both points. I’m happy as is with what the current portal/plans offer but just need that last MFA checkbox addressed so I can continue to enroll devices in the service.
We did a couple of tests and it’s quite easy to add the 2FA to my.nethserver.com.
But the change will impact all users: every current user of my.nethserver.com will need to configure 2FA on next login.
This is a limitation of the current framework (auth0) and there is no workaround for it.
We like the idea to improve the site security by enabling 2FA, but can this change cause problems to less skilled users?
Should we enable 2FA for everyone or not? What do you think?
/cc @robb @lucanardini.70 @MrE @pike @transocean @bobtskutter @ambassadors_group @flatspin @Elleni @slightlyevolved @danb35
If I think, that I always have to 2FA when I login to my NS, I’d go nuts with it.
For sure, 2FA would improve security. But IMO it’s only needed if you need to login from outside (internet).
Login from internal network only would need 2FA in really large environments.
NS ist designed for SMB. In german it’s like “shooting sparrows with cannons” or “use a sledgehammer to crack a nut” or …
Is there a posibility to give it as an optional? Like enable/disable 2FA?
So everyone can decide if it’s neede for the specific network.
Best regards Ralf
We are talking about login to my.nethserver.com, to manage subscriptions, alerts, etc.
Also, when 2FA is enabled, at login you can choose to trust your browser/computer, so that the second factor will not be asked any longer.
Sorry, I completely missunderstood. 
To login to my.nethserver.com I think it’s o.k. I login there not more then 2 or 3 times a year.
Due to the need to receive an invoice for my purchase, I need to provide my login credentials to a third party vendor for him to log in and pay the subscription (with credit card).
Because he does the process on his own time,
Should he also have an app for 2FA or he would have to call me to request the 2FA access code right?
This leads me to ask:
How many minutes or seconds of grace are there to achieve correct use of the 2FA verification code? In the short time I have used it elsewhere (Synology) it seems to be a matter of seconds (very annoying).
Regards
I vote the same.
I’d prefer without mandatory 2FA…
My 2 cents
Andy
Hi @giacomo,
For what? Two logins a year don’t make that necessary in my opinion. I see it differently with my Nethserver or my bank account.
Regards…
Uwe
Likewise. I’m not violently opposed to it, but it does strike me as unnecessary bother.
Hello giacomo, I suppose it depends on what sort of 2FA you plan to implement. I like the idea that you can trust certain browsers. What happens if I rebuild the PC that had the trusted browser? You could use a cell phone number, but I guess that would mean a cost to the Nethserver team.
What about using some sort of strong password and asking for specific characters from the password?
I have no strong opinion either way. I’m happy with the current system.
Regards
bob
I don’t care one way or the other of how it is implemented so long as it is offered as an option. I found it ironic that the forums offered this service where as the financial/critical info of my nethserver.com did not. At the end of the of the day NS the company are the ones who are in front of their insurance providers and I can tell you mine no longer will underwrite policies for my SMB unless MFA is available & enforced.
Thank you @giacomo for following up with this, I appreciate it.
EDIT - I should clarify this is related to digital/cyber insurance.
Not sure what you mean, but for the enterprise customers we use a different site.
Still we have plan to move everything on the same platform.
It’s a matter of seconds: 2FA has been built just to avoid credential sharing/stealing.
Got it!
We do not own the authentication framework and such feature is not available.
Sorry to hear that, but it seems many users do not want 2FA enforced.
Also, please remember that my.nethserver.com does not keep any payment details: payments are delegated to Paypal which already has 2FA.
If you are uncomfortable about sending server information to my.nethserver.com, you can disable the script and still retain access to the repositories and the support.
We would like to replace current authentication framework (Auth0) with something more flexible, but this will take time and we do not have plane to implement it in near future.
I recently logged in to renew subscriptions of our nethservers (already a year passed, crazy). And to be honest I had to hit forgot password. So if mandatory 2fa should be implemented, I think we need an easy workaround to be able to reset the login information. But thanks a lot for working on improving and securing even more the great solution that nethserver already is. We really appreciate!
Thank you. I just wanted to make sure that I was clear I am advocating for the availability of 2FA, not enforcing it site wide. That being said the above solution should work for me, can you point me in the right direction on how to implement this?