Menu
What's new
By:
Filters Better Search

Feature request: Two factor authentication web login. (TOTP)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

DJones

Very Senior Member
Merlin feature request: Two factor authentication web login. (TOTP - Time-based one-time password)

I think this would benefit PAM (Pluggable Authentication Modules) authentication the routers use.

For those that have no idea what I’m talking about it’s a security feature that requires you to get a code from a third party authentication application usually from mobile phones. ie. Google Authencator, Authy, Duo, etc.

2FA might be annoying, but would add a second layer of protection from password guessing for those people that open their routers up to the internet. Not a perfect solution, but better than what is currently available.

Implementing it into ssh would be nice as well.

Seems to me not having 2FA on the web gui login that can be made remotely available to WAN and remote management is encouraged to be enabled via the mobile applications… seem like a very blatant security vulnerability. In this day just using passwords is a security risk, as is enabling remote management. But if your manufacturer is poking you to enable this feature under insights tab then the problem is systemic.

IMG_0006.jpeg

IMG_0005.jpeg


“secure encrypted channel” sure https will technically protect you from a MITM attack, but not from password guessing, and captcha is only going to slow that down potentially.
 
Last edited:
www.snbforums.com

Forward FQDN to LAN IP

Hi, Newbie here. How can I forward an FQDN to an IP on my LAN?
www.snbforums.com www.snbforums.com

Just seems to me this can be better implemented OFF the router, w/ more options, features, etc. And you're NOT limited to just remote access of the router's GUI. Heck, you don't even have to manage your own certs! It's all done for you by the reverse proxy.
 
eibgrad said:
www.snbforums.com

Forward FQDN to LAN IP

Hi, Newbie here. How can I forward an FQDN to an IP on my LAN?
www.snbforums.com www.snbforums.com

Just seems to me this can be better implemented OFF the router, w/ more options, features, etc. And you're NOT limited to just remote access of the router's GUI. Heck, you don't even have to manage your own certs! It's all done for you by the reverse proxy.
Click to expand...

Well I agree this is an alternative, knowing users prefer the KISS method where the least involvement and knowledge is needed to setup remote management would be preferred as router based.

Proxy’s, cloudflare, and vpn server, even ddns are unknowns to well I’d like to say most user with minimal experience. I’d like Asus to implement this, but in terms of which developers are more likely to experiment with new features I’m leaning towards Rmerlin/Gnuton although I’m not above shooting Asus a feature request just seems like sending anything to Asus as a consumer would be like speaking to a wall.
 
I had a quick look at adding a TOTP-capable PAM plugin a few months ago (with the intention of interfacing it with OpenVPN), and there were simply too many software requirements for the plugin that I just gave up. The intent was to use an LDAP interface, so you could interface with a service like Jumpcloud to implement 2FA.

Definitely ain't happening for the web login however, that code is closed source.
 
RMerlin said:
I had a quick look at adding a TOTP-capable PAM plugin a few months ago (with the intention of interfacing it with OpenVPN), and there were simply too many software requirements for the plugin that I just gave up. The intent was to use an LDAP interface, so you could interface with a service like Jumpcloud to implement 2FA.

Definitely ain't happening for the web login however, that code is closed source.
Click to expand...

Interesting, well I’m glad you explored that. I sent the feedback for feature request for TOTP to ASUS, it’s a stretch, but maybe someday.

Just seem wild to me routers don’t have this feature. Anyways thank you for the feature consideration.
 
DJones said:
Just seem wild to me routers don’t have this feature.
Click to expand...
TOTP for the main webui would be problematic for a router, since the clock is not guaranteed to be sync'ed.
 
RMerlin said:
TOTP for the main webui would be problematic for a router, since the clock is not guaranteed to be sync'ed.
Click to expand...

Not a showstopper, but true I can see how that could be a issue between reboots or if the clock drifts since I don't think these routers have a internal battery. But if your using your router as a ntp server overridding other sources on your networked devices it should be fairly synced. Chrony might drift more then others. TOTP should come with the ability to use backup passwords if for some reason your not connected to the internet, or implent a fallback to disable if internet is not detected.

Anyways.
 
If ASUS is ever going to do some kind of 2FA, I hope they also support (or immediately go for) passkeys (instead of TOTP).
 
XIII said:
If ASUS is ever going to do some kind of 2FA, I hope they also support (or immediately go for) passkeys (instead of TOTP).
Click to expand...

Why not both 😉 but yeah passkey would be nice as well.

@RMerlin looks like pfsense and openwrt have taken a different approach then using LDAP

[OpenWrt Wiki] OpenSSH Multi Factor Authentication

openwrt.org openwrt.org

www.comparitech.com

How to configure 2FA for GUI access in pfSense

This detailed guide explains how to set up two-factor authentication for GUI access in pfSense. Read it here.
www.comparitech.com www.comparitech.com
 
You must log in or register to reply here.

Similar threads

K
Latest RT-AC68U Asuswrt stock vs Merlin security
Replies
6
Views
3K
KrypteX
K
TheLostSwede
News Network Security Simplified: EnGenius Releases First Security Gateway
Replies
3
Views
1K
L&LD
L&LD
X
AC-RT88u Remote access with two factor auth
Replies
7
Views
13K
ColinTaylor
C
RMerlin
  • Locked
Release Asuswrt-Merlin 386.1 is now available
68 69 70
Replies
1K
Views
344K
RMerlin
RMerlin
M
Maximum security from a consumer router?
Replies
16
Views
9K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
M [🙏 Feature request For Asus Merlin] Add Public WiFi Mode for GT-AX11000 Asuswrt-Merlin 7
G Feature request: firewall url filter log Asuswrt-Merlin 0
Q [Feature Request] Schedule DoS Protection state and/or whitelist option Asuswrt-Merlin 5
mekki Solved UPDATE: No longer required. See thread. - [Feature request] Option for DHCP Query Frequency Backoff Mode Asuswrt-Merlin 76
M [WAN feature request] GT-AXE16000 use 2.5G port as LAN and use 2 1GB ports for dual wan Asuswrt-Merlin 14
F Several Questions Re:Asuswrt-Merlin Feature Implementation Asuswrt-Merlin 2
L Feature suggest: web notifications Asuswrt-Merlin 1
cyruz Reversing the web node reboot feature Asuswrt-Merlin 0
S GT-BE98 Version Request Asuswrt-Merlin 4
K Request for v2ray installation training on RT-AC5300 router Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 1,166 (members: 29, guests: 1,137)
Top