Feature #12546
open
Add 2FA Support to pfSense Plus Local Database Authentication
0%
Description
To eliminate the reliance on unsupported packages like freeRADIUS for making this work, we should add the capability to the built-in user database in pfSense for time-based tokens. This could be "bolted on" to the end of passwords similar to how other options accomplish this for OpenVPN or IPSec VPNs, but we may be able to add a field to the webConfigurator login for 2FA.
Updated by
Updated by Michael Pace about 4 years ago
Hello,
This would be hugely helpful. Insurance companies are starting to require we implement 2FA across the board. Having it natively in pfSense would save a great deal of frustration.
Updated by Kris Phillips almost 4 years ago
Further expounding on this, it appears that Viscosity has native capability to add prompts in the client config.
auth-user-pass
static-challenge "Please provide your One-Time Passcode" 0
This can be "merged" into the password field with a bit of finagling and scripting. May be a way to add a backend for this in pfSense.
Updated by jeffrey Smith almost 3 years ago
Can we please add support for passkeys into default accounts for pfsense.
Apple and Microsoft are adding native support to their OS's
https://developer.apple.com/passkeys/
https://www.bleepingcomputer.com/news/microsoft/windows-11-is-getting-a-built-in-passkey-manager-for-windows-hello/
Android 14 will have support as well
https://9to5google.com/2023/03/01/android-14-passkey-dashlane/
https://github.com/herrjemand/awesome-webauthn There are php and go server side implementations here already
The benefits of this is that it is a phishing resistant form of authentication, cant be keylogged and much safer then having just password.
Updated by Kris Phillips almost 3 years ago
jeffrey Smith wrote in #note-4:
Can we please add support for passkeys into default accounts for pfsense.
Apple and Microsoft are adding native support to their OS's
https://developer.apple.com/passkeys/
https://www.bleepingcomputer.com/news/microsoft/windows-11-is-getting-a-built-in-passkey-manager-for-windows-hello/Android 14 will have support as well
https://9to5google.com/2023/03/01/android-14-passkey-dashlane/https://github.com/herrjemand/awesome-webauthn There are php and go server side implementations here already
The benefits of this is that it is a phishing resistant form of authentication, cant be keylogged and much safer then having just password.
This should probably be a separate feature request, since this redmine is specific to TOTP, Cert, or Hardware key-based 2FA. I'll generate one shortly.
Updated by Kris Phillips almost 3 years ago
Redmine created for separate feature request: https://redmine.pfsense.org/issues/14743
Updated by Kryštof Kadlec 24 days ago
Hello,
I have submitted a Pull Request, which implements core MFA framework and OpenVPN hooks to support this feature.
PR is available for review here: https://github.com/pfsense/pfsense/pull/4751
Updated by Kryštof Kadlec 24 days ago
I have also submitted a followup pull request utilizing the implementation mentioned above.
It enables 2FA via Cisco Duo API backend and is available for review here: https://github.com/pfsense/FreeBSD-ports/pull/1440
Updated by Al Ortiz 9 days ago
As a federal contractor, my small business is seeking to comply with the forthcoming US DoD CMMC cybersecurity standards.
Hardening our internal network is a high priority so that we can enjoy continued Federal contract work.
Adding another "admin" user under freeRadius and leaving the hacker wellknown Local Auth "admin" password only, does not harden the system.
Rather it increases the attack surface. Passwords only make time the enemy.
CMMC is imminent. MFA will become a requirement for certain levels of security.
I recommend urgent implementation.