Been playing with two factor auth :)

Status
Not open for further replies.

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
577
113
It will be shared, its a little too raw right now, I was working on it today. One thing I want is to be able to generate a QR code in the console for the initial installation.
 
  • Like
Reactions: PBXMePlz

siacali

New Member
Dec 30, 2019
5
0
1
60
Thanks! I'll keep an eye out for it. Given the number of people trying the doorknobs of our box every day, this would be a fantastic and much welcome addition.
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
577
113
I have for example got the QR displaying in the user settings but useless when you cannot get into the gui anyway. I think I'm going to have to get it to generate and send an email when the user is created.fusionuser.png
 

siacali

New Member
Dec 30, 2019
5
0
1
60
Hmm...around our site, for things that require QR codes to enroll, we drag the QR out of the browser and slack, sms/mms or email it to the user. (just my $0.02, and probably worth about as much).
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
577
113
I think I will probably just get it to create an email and send new user details on creation, also maybe leave it so superadmin can create his QR code in the GUI the then must enable 2FA with a variable in the GUI or something. I also need a way to easily disable it from the CLI for when users inevitably lock themselves out :D
 

siacali

New Member
Dec 30, 2019
5
0
1
60
One question, did you design it to apply to "all users" or on a user-by user basis? Would be interesting to, for example, apply it to admins/superadmin-types but allow those who can do less damage continue to live dangerously...
(not intending to make a feature request here, just wondering how it's implemented)
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
577
113
No, I see little point in making it selective, the idea is to protect the PBX. Some of the previous security issues have needed gui access. I want this to be able to be applied to potentially older systems that cannot be upgraded because of heavy modification etc. In fact that is my primary need. I have older systems out there that I do not want to upgrade. Combined with the whitelist/blacklist thing I am working on that makes the sip server invisible to the net, I'm in with a fighting chance.
 
  • Like
Reactions: PBXMePlz

iota

New Member
May 29, 2020
24
9
3
USA
No, I see little point in making it selective, the idea is to protect the PBX. Some of the previous security issues have needed gui access. I want this to be able to be applied to potentially older systems that cannot be upgraded because of heavy modification etc. In fact that is my primary need. I have older systems out there that I do not want to upgrade. Combined with the whitelist/blacklist thing I am working on that makes the sip server invisible to the net, I'm in with a fighting chance.
One thing to think about though is a failback if 2FA isn't working... such as a really long recovery code... What if the only admin person's phone died and he gets a new one and his 2FA is lost? Ooops. Believe me, I've been there.
 

junction1153

Member
Jul 15, 2020
56
16
8
34
Looking forward to being able to use this feature in the future. Would we have the option ’remember the browser’ so that 2FA logins are not necessary unless it’s a new web browser?
 

bcmike

Active Member
Jun 7, 2018
337
58
28
54
One thing to think about though is a failback if 2FA isn't working... such as a really long recovery code... What if the only admin person's phone died and he gets a new one and his 2FA is lost? Ooops. Believe me, I've been there.
I just finished going through this. Dropped my phone in a lake and getting all my 2FA authenticators going again on a new phone was a major pain.

P.S. Really I'm looking forward to this feature. I've always been nervous having the gui exposed to the public network.
 
Last edited:

Kenny Riley

Active Member
Nov 1, 2017
243
39
28
37
Just wanted to check in here.. How's this coming along? Would really love the ability to implement 2FA on our systems!
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
577
113
Basically, the lead developer won't touch google auth, it died there. I'm not reinventing a perfectly good racing wheel that many of us use already anyway.
 

Kenny Riley

Active Member
Nov 1, 2017
243
39
28
37
Sounds about right. The main downfall of FusionPBX has, and apparently always will be the closed-mindedness of Mark. There's so many things that people have created in the past that could and should be committed to FusionPBX but aren't, simply because Mark wants to take credit for everything. Or he thinks he can build a better solution, but doesn't, and then tells everyone he never has enough time to do these things because he's too bombarded with support requests.

Essentially, his closed-mindedness and being stretched too thin resource wise is driving me away from investing my time any further in the product.

My opinion.
 
Last edited:
Status
Not open for further replies.