Been playing with two factor auth :)

DigitalDaz

Administrator
Staff member
Sep 29, 2016
2,478
415
83
It will be shared, its a little too raw right now, I was working on it today. One thing I want is to be able to generate a QR code in the console for the initial installation.
 
  • Like
Reactions: PBXMePlz

siacali

New Member
Dec 30, 2019
5
0
1
56
Thanks! I'll keep an eye out for it. Given the number of people trying the doorknobs of our box every day, this would be a fantastic and much welcome addition.
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
2,478
415
83
I have for example got the QR displaying in the user settings but useless when you cannot get into the gui anyway. I think I'm going to have to get it to generate and send an email when the user is created.fusionuser.png
 

siacali

New Member
Dec 30, 2019
5
0
1
56
Hmm...around our site, for things that require QR codes to enroll, we drag the QR out of the browser and slack, sms/mms or email it to the user. (just my $0.02, and probably worth about as much).
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
2,478
415
83
I think I will probably just get it to create an email and send new user details on creation, also maybe leave it so superadmin can create his QR code in the GUI the then must enable 2FA with a variable in the GUI or something. I also need a way to easily disable it from the CLI for when users inevitably lock themselves out :D
 

siacali

New Member
Dec 30, 2019
5
0
1
56
One question, did you design it to apply to "all users" or on a user-by user basis? Would be interesting to, for example, apply it to admins/superadmin-types but allow those who can do less damage continue to live dangerously...
(not intending to make a feature request here, just wondering how it's implemented)
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
2,478
415
83
No, I see little point in making it selective, the idea is to protect the PBX. Some of the previous security issues have needed gui access. I want this to be able to be applied to potentially older systems that cannot be upgraded because of heavy modification etc. In fact that is my primary need. I have older systems out there that I do not want to upgrade. Combined with the whitelist/blacklist thing I am working on that makes the sip server invisible to the net, I'm in with a fighting chance.
 
  • Like
Reactions: PBXMePlz

itia

New Member
May 29, 2020
22
2
3
USA
No, I see little point in making it selective, the idea is to protect the PBX. Some of the previous security issues have needed gui access. I want this to be able to be applied to potentially older systems that cannot be upgraded because of heavy modification etc. In fact that is my primary need. I have older systems out there that I do not want to upgrade. Combined with the whitelist/blacklist thing I am working on that makes the sip server invisible to the net, I'm in with a fighting chance.
One thing to think about though is a failback if 2FA isn't working... such as a really long recovery code... What if the only admin person's phone died and he gets a new one and his 2FA is lost? Ooops. Believe me, I've been there.
 

junction1153

New Member
Jul 15, 2020
26
1
3
30
Looking forward to being able to use this feature in the future. Would we have the option ’remember the browser’ so that 2FA logins are not necessary unless it’s a new web browser?
 

bcmike

Active Member
Jun 7, 2018
218
27
28
50
One thing to think about though is a failback if 2FA isn't working... such as a really long recovery code... What if the only admin person's phone died and he gets a new one and his 2FA is lost? Ooops. Believe me, I've been there.
I just finished going through this. Dropped my phone in a lake and getting all my 2FA authenticators going again on a new phone was a major pain.

P.S. Really I'm looking forward to this feature. I've always been nervous having the gui exposed to the public network.
 
Last edited: