What's new

Feature request: Two factor authentication web login. (TOTP)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DJones

Very Senior Member
Merlin feature request: Two factor authentication web login. (TOTP - Time-based one-time password)

I think this would benefit PAM (Pluggable Authentication Modules) authentication the routers use.

For those that have no idea what I’m talking about it’s a security feature that requires you to get a code from a third party authentication application usually from mobile phones. ie. Google Authencator, Authy, Duo, etc.

2FA might be annoying, but would add a second layer of protection from password guessing for those people that open their routers up to the internet. Not a perfect solution, but better than what is currently available.

Implementing it into ssh would be nice as well.

Seems to me not having 2FA on the web gui login that can be made remotely available to WAN and remote management is encouraged to be enabled via the mobile applications… seem like a very blatant security vulnerability. In this day just using passwords is a security risk, as is enabling remote management. But if your manufacturer is poking you to enable this feature under insights tab then the problem is systemic.

IMG_0006.jpeg

IMG_0005.jpeg


“secure encrypted channel” sure https will technically protect you from a MITM attack, but not from password guessing, and captcha is only going to slow that down potentially.
 
Last edited:

Just seems to me this can be better implemented OFF the router, w/ more options, features, etc. And you're NOT limited to just remote access of the router's GUI. Heck, you don't even have to manage your own certs! It's all done for you by the reverse proxy.
 

Just seems to me this can be better implemented OFF the router, w/ more options, features, etc. And you're NOT limited to just remote access of the router's GUI. Heck, you don't even have to manage your own certs! It's all done for you by the reverse proxy.

Well I agree this is an alternative, knowing users prefer the KISS method where the least involvement and knowledge is needed to setup remote management would be preferred as router based.

Proxy’s, cloudflare, and vpn server, even ddns are unknowns to well I’d like to say most user with minimal experience. I’d like Asus to implement this, but in terms of which developers are more likely to experiment with new features I’m leaning towards Rmerlin/Gnuton although I’m not above shooting Asus a feature request just seems like sending anything to Asus as a consumer would be like speaking to a wall.
 
I had a quick look at adding a TOTP-capable PAM plugin a few months ago (with the intention of interfacing it with OpenVPN), and there were simply too many software requirements for the plugin that I just gave up. The intent was to use an LDAP interface, so you could interface with a service like Jumpcloud to implement 2FA.

Definitely ain't happening for the web login however, that code is closed source.
 
I had a quick look at adding a TOTP-capable PAM plugin a few months ago (with the intention of interfacing it with OpenVPN), and there were simply too many software requirements for the plugin that I just gave up. The intent was to use an LDAP interface, so you could interface with a service like Jumpcloud to implement 2FA.

Definitely ain't happening for the web login however, that code is closed source.

Interesting, well I’m glad you explored that. I sent the feedback for feature request for TOTP to ASUS, it’s a stretch, but maybe someday.

Just seem wild to me routers don’t have this feature. Anyways thank you for the feature consideration.
 
Just seem wild to me routers don’t have this feature.
TOTP for the main webui would be problematic for a router, since the clock is not guaranteed to be sync'ed.
 
TOTP for the main webui would be problematic for a router, since the clock is not guaranteed to be sync'ed.

Not a showstopper, but true I can see how that could be a issue between reboots or if the clock drifts since I don't think these routers have a internal battery. But if your using your router as a ntp server overridding other sources on your networked devices it should be fairly synced. Chrony might drift more then others. TOTP should come with the ability to use backup passwords if for some reason your not connected to the internet, or implent a fallback to disable if internet is not detected.

Anyways.
 
If ASUS is ever going to do some kind of 2FA, I hope they also support (or immediately go for) passkeys (instead of TOTP).
 
If ASUS is ever going to do some kind of 2FA, I hope they also support (or immediately go for) passkeys (instead of TOTP).

Why not both 😉 but yeah passkey would be nice as well.

@RMerlin looks like pfsense and openwrt have taken a different approach then using LDAP


 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top