Integrate luci + 2fa

akallabeth · March 15, 2021, 9:39am

I´m currently researching options to allow luci + TOTP which I could not find in current master.
So, before duplicating effort, are there any plans already in motion to implement this?
If not, was there already some research into the topic?

(If I should have missed something sorry, new to the forum, did not have the need until now to change something, happy user since many years)

slh · March 15, 2021, 9:12pm

This has come up a couple of times in the past, but no one who wanted to implement 2fa could provide and answer of how to accomplish this reliably. Keep in mind:

most devices (basically all but x86_64) supported by OpenWrt don't have a battery backed RTC, so there is no valid time/ date available before internet connectivity has been successfully established (and ntp synced the clock)
you can't depend on internet connectivity for this purpose, as you'll need immediate access most, whenever there are problems with that

Please search the forum for previous discussions, if you're interested in more details.

akallabeth · March 16, 2021, 7:22am

thanks you for the hints, seem to have missed MFA on Openwrt SSH & LuCi while searching yesterday.

While the RTC/NTP requirement is bad for problems with internet connectivity that can be avoided by only using 2fa if accessed from the internet interface and skipping it when accessed from local interface

WhyNotHugo · July 1, 2021, 4:19pm

Using WebAuthn should work pretty well. It doesn't require internet connectivity, and it doesn't need an accurate clock.

That would allow using things like a Yubikey as a 2FA, which seems like a very solid approach.

VCTGomes · March 9, 2024, 6:48pm

WebAuthn needs a valid certificate to work in the most browsers.