Merlin feature request: Two factor authentication web login. (TOTP - Time-based one-time password)
I think this would benefit PAM (Pluggable Authentication Modules) authentication the routers use.
For those that have no idea what I’m talking about it’s a security feature that requires you to get a code from a third party authentication application usually from mobile phones. ie. Google Authencator, Authy, Duo, etc.
2FA might be annoying, but would add a second layer of protection from password guessing for those people that open their routers up to the internet. Not a perfect solution, but better than what is currently available.
Implementing it into ssh would be nice as well.
Seems to me not having 2FA on the web gui login that can be made remotely available to WAN and remote management is encouraged to be enabled via the mobile applications… seem like a very blatant security vulnerability. In this day just using passwords is a security risk, as is enabling remote management. But if your manufacturer is poking you to enable this feature under insights tab then the problem is systemic.
“secure encrypted channel” sure https will technically protect you from a MITM attack, but not from password guessing, and captcha is only going to slow that down potentially.
I think this would benefit PAM (Pluggable Authentication Modules) authentication the routers use.
For those that have no idea what I’m talking about it’s a security feature that requires you to get a code from a third party authentication application usually from mobile phones. ie. Google Authencator, Authy, Duo, etc.
2FA might be annoying, but would add a second layer of protection from password guessing for those people that open their routers up to the internet. Not a perfect solution, but better than what is currently available.
Implementing it into ssh would be nice as well.
Seems to me not having 2FA on the web gui login that can be made remotely available to WAN and remote management is encouraged to be enabled via the mobile applications… seem like a very blatant security vulnerability. In this day just using passwords is a security risk, as is enabling remote management. But if your manufacturer is poking you to enable this feature under insights tab then the problem is systemic.
“secure encrypted channel” sure https will technically protect you from a MITM attack, but not from password guessing, and captcha is only going to slow that down potentially.
Last edited: