Hello, I wannt to authenticate winbox or ssh with second factor. The problem is with password, which mikrotik sends this mschapv2, so its hasched. Authenticator cannot recognize it and I get blank pass field. Is there any option to change mschapv2 to pap for example or whatever .
What’s about dot1x, there is a few options eap methods. Can I authorize by this way ?
Want to change a secure method to an insecure method to add another insecure layer?
What If someone get a password ? Even if it's hashed in mikrotik system. What is secure in this kind of method ?
Thanks
A possible(untried) alternative for 2FA with SSH is to configure a container with Google’s libpam and SSH which could act as a sort of “jumpbox” for access to the router. Appropriate firewall rules would prevent direct access.
You can try with this in container https://hub.docker.com/r/neochrome/bastion, but this is only for ssh, not winbox.
Learn something new:
I didn’t know that was possible. That’s a little cleaner than adding a container. And theoretically cover all methods of router access.
Long shot but… if you are familiar with web development and building docker images you can create web wrapper for Webfig with 2fa to run in container. Some example: https://seantodd.co.uk/blog/putting-2fa-on-everything/
True, not quite easy setup, still easier than writing webfig wrapper 
The second factor can be simply the SSH cert, the MAC of the device used for try the access, the IP binded to the profile etc. etc. etc.
*** BEGIN FIRST HYPOTHETICAL ENVIRONMENT ***
Open WinBox,
select the device fomr Managed / Neighbors / Romon list,
example: “MySecuredRouter KNHT6ICJOMQG63TFEBSXQYLNOBWGKLROFY======”
simply click on that device copy the full name on Note: field.
Advanced solution) The dedicated program, on memory, read that value and on internal database read the key binded to that device and using the code calc the right OTP password
and after enter the security password, paste the generated OTP password directly on winbox.
Standard solution) paste what appear on name on the dedicated OTP password generator, that require password for be used, use that value as OTP password.
Simply click on connect… done…
The password is changed automatically internally from routerboard using internal algorythm every X minutes,
and obviously the program know that algorythm and can generate the right password.
This method is not usable on roaming, if one do not have own hardware for remote access.
*** END FIRST HYPOTHETICAL ENVIRONMENT ***
*** BEGIN SECOND HYPOTHETICAL ENVIRONMENT ***
Try to acces to routerboard with specific username and password cause the routerboard (if is online) to connect to remote site to retrieve the password to set on another username.
The user at this point use another username with the password specified on another site.
For access the routerboard user must know both login credentials and also the credentials of remote site, and also what is the remote site…
This method is usable also on guest devices for remote access.
*** END SECOND HYPOTHETICAL ENVIRONMENT ***
*** BEGIN THIRD HYPOTHETICAL ENVIRONMENT ***
Connect to one remote webpage, with a PIN or username/password the site store the caller IP.
The routerboard accept the username/password entered only if the call is coming from the same IP and if alredy are inserted PIN / password on the remote site on the last 1 or 2 minutes.
Obviously the remote site do not have any hint on what is the purpose of this hidden webpage…
This method is usable also on guest devices for remote access.
*** END THIRD HYPOTHETICAL ENVIRONMENT ***
Serious question, I’m not kidding:
Aside from preventing that if someone gets the exact right credentials, on the first try they can log into the router,
what is two-factor authentication for?
Preventing authentication even if password is compromised - which should not be placed aside.
Btw. you are missing some hypothesis using sms codes and setting dynamic passwords combining them (if OP owns MT device with GSM/LTE modem) 
I’d like, if possible, to get answers that don’t involve what I’ve already ruled out: username and password being stolen (no matter how or why)
Just because not all devices have SIMs.
But yeah, just send an SMS from autorized number to that device which set the password specified in the SMS and the problem is already solved…
(and on SMS must be also present the SMS commands password)
If already is set and the script is already present, just send one SMS to RouterBOARD like:
:cmd Vq70980q script chgpass mynesSPERScurPXEAWRD
Ruled out, but it is concern imho.
I'm using sms commands for enabling/disabling VPN access, quite useful and I think safer than port knocking. Ah yes... hypothesis to use port knocking to trigger sending 2fa code to email
Or for paranoid encode also the password on SMS 
the script chgpass decode it and apply the correct password.
:cmd Vq70980q script chgpass KNHT6ICJOMQG63TFEBSXQYLNOBWGKLROFY======
Since the encoding can be arbitrary and not necessarly baseXX, is strong enough for detect failed try.
Encoding the password on that way allow the user to use also special characters not allowed on GSM7 alphabet…
http://forum.mikrotik.com/t/sms-charset-problem/74623/2
Why not just simple:
:cmd Vq70980q 2fa-script
- 2fa-script can generate random code and send back to same number from which sms command is sent. Code can be appended into some predefined password
for login user.
Edit: and add on login event for such user to reset password into some arbitrary. Also some scheduler script needs to be involved to timeout code and also reset password to handle code timeout
Script must not store passwords…
At least the first part of the password should be plain text in the script, and an “export” or accidentally unencrypted backup might reveal that part…
If is not careful when creating backups, yes, but for example, I'm using web api for refreshing IP on some dyndns service, there is no alternative other than store raw api credentials (user/pass) into script afaik, that's why my backups are always encrypted.
Actually I have the main network on The Dude, rigth click and open with winbox launch one program that ask for PIN.
If PIN is correct*** decode the passed username and password from The Dude and use it as parameters to launch Winbox.
(obviously on the RouterBOARDs winbox is authorized only or from local management ether port or only from specific remote IPs)
On this way if for some reason my PC is stolen, is useless, because also the read-only monitoring functions on The Dude accept only some IPs…
*** the PIN is part of the decode, is not memorized inside the program, wrong PIN cause winbox to fail authentication, not program error, because do not know what is the right PIN…
Obviously keylogger & co. bring the question to another level…
For do that someone must come to my office, break all the door locks till my office, hack my PC, and remove all the trace of the passage…
Why you do not use the MAC of one or more ethernet interface as seed for encrypt the password?
If the script is runned on same device can restore the right password to send for dyndns…
If the export/unencrypted backup is stolen, is useless, because on export or backup are stored only manually changed MAC…
and the script on new device can not generate again correct username or password…