Mikrotik 2 Factor authentication

optio · March 22, 2023, 9:03pm

Actually I have the main network on The Dude, rigth click and open with winbox launch one program that ask for PIN.
If PIN is correct*** decode the passed username and password from The Dude and use it as parameters to launch Winbox.
(obviously on the RouterBOARDs winbox is authorized only or from local management ether port or only from specific remote IPs)

On this way if for some reason my PC is stolen, is useless, because also the read-only monitoring functions on The Dude accept only some IPs...

*** the PIN is part of the decode, is not memorized inside the program, wrong PIN cause winbox to fail authentication, not program error, because do not know what is the right PIN...

Obviously keylogger & co. bring the question to another level...
For do that someone must come to my office, break the port lock, hack my PC, and remove all the trace of the passage...

Or you can just be kidnapped and forced to log in and nothing helps (maybe suicide capsule with poison in tooth?)

rextended · March 22, 2023, 9:06pm

I’d give him the emergency PIN, which if entered still allows decoding and access, but also call the police without notification…

optio · March 22, 2023, 9:11pm

I think now OP has quite enough solutions how to implement 2fa or dynamic credentials...

optio · March 22, 2023, 9:21pm

I missed this one... true, it can be done like that, by using some value(s) unique to router, since it is for my home router and only I have access to it I did not bother, but good idea.

Edit: ROS feature request comes to my mind: Secure Storage - something like Mac Keychain password storage, can be some key-value storage unlocked with logged in user or running script user. Not exportable if not show-sensitive.

Amm0 · March 22, 2023, 9:39pm

I mean this does sound like TOTP 2FA, which is pretty standard these days (quoting from bottom of the link):

So curious at what you’re looking for?

Amm0 · March 22, 2023, 9:40pm

.

If we were talking about hardware 2FA token devices (e.g. RSA SecureID), it was a check that physical held something. Since semi-temper resitance and cannot backup/copy them, so if lost/missing you really are screwed – that adds a quite a bit of a layer from 2FA. When your just switch to another app like Google Authenticator (or Authy or whatever TOTP-enabled app) on the same device that may have your password saved in the keychain/browser… I’m not sure that add the same level of security…so not all 2FA isn’t the same. Does user-manager add something with TOTP… sure. How much, harder to quantify.

optio · March 22, 2023, 9:55pm

rextended:

Serious question, I’m not kidding:
Aside from preventing that if someone gets the exact right credentials, on the first try they can log into the router,

what is two-factor authentication for?

.

If we were talking about hardware 2FA token devices (e.g. RSA SecureID), it was a check that physical held something. Since semi-temper resitance and cannot backup/copy them, so if lost/missing you really are screwed – that adds a quite a bit of a layer from 2FA. When your just switch to another app like Google Authenticator (or Authy or whatever TOTP-enabled app) on the same device that may have your password saved in the keychain/browser… I’m not sure that add the same level of security…so not all 2FA isn’t the same. Does user-manager add something with TOTP… sure. How much, harder to quantify.

For various factor combination term is MFA if multiple factors are involved, 2FA is part of MFA scope

rextended · March 22, 2023, 9:56pm

@Amm0
Excuse me, but I was sincerely asking about another practical use, except the above, not about the technology to use,
because I can’t think of anything else…

@optio
please do not quote all or go out one mess

Amm0 · March 22, 2023, 10:04pm

I’m old, but your right MFA is the modern term. But I’m surprise they even have 2 on Mikrotik.

Also, I suppose if one drank the Cloudflare cool-aid, you could run the various ports through their app firewall. Cloudflare lets you apply various “MFA” in front of it. But I’m waiting for the ATP to try that approach .

Amm0 · March 22, 2023, 10:26pm

If you ignore the "dumb admin" case, sure complete unneeded. But not everyone is smart.

I have seen something like this, not with Mikrotik, but same use case I'd imagine. AcmeCorp buys router from MT-Consultant. They don't want the MT-Consultant to be able to login remotely without AcmeCorp's authorization – e.g. it is their router, but have install/support contract. Consultant enables the RADIUS login when provisioning the router, AcmeCorp is given the TOTP key and has Google Authenticator once the router is deployed in production. If remote access is later required, the AcmeCorp needs to provide MT-Consultant the TOTP key from an app to allow access. AcmeCorp does not have know a thing about RouterOS. MT-Consultant knows the password but they need the 6 digit code from the AcmeCorp for maintenance. Could MT-Consultant put a backdoor in, sure...but AcmeCorp may also perform security audit using a different consultant that may catch that.

Amm0 · March 23, 2023, 1:52am

I've used PPP secret to store apikeys. Not great but works to avoid them being in an export without show-sensitive. See:

But totally agree better support for persisting secure (and "insecure") data from scripting be useful.

DarkNate · March 23, 2023, 6:02am

What dumb request is this? Tell me how, how tf do you 2FA on Juniper or Cisco?

abbio90 · July 20, 2024, 1:09pm

https://foisfabio.it/index.php/2024/04/19/mikrotik-otp-vpn/