WinBox Authentication with 2FA?

sandro1992 · October 23, 2025, 7:45pm

Hello dear Community

I am interested whether if it is possible to use 2FA while logging into RouterOS via winbox? like receiving a push code into some kind of authenticator app and etc…

Thanks

BartoszP · October 23, 2025, 8:02pm

Hi,

Simple answer is: No.

holvoetn · October 24, 2025, 5:49am

And yet ... with some workaround it can be done.

Enter ... Radius.

oreggin · October 24, 2025, 8:46am

https://www.incognia.com/the-authentication-reference/what-are-the-key-differences-between-2fa-and-mfa

OTP is almost as weak as password as if someone gets your OTP hashkey, they could generate your OTP passkeys. I use MFA TOTP with User-Manager but my problem is every admin could see anyone else keys and passwords. Additional problem is the MSCHAPv2 auth, so we must store passwords in cleartext.

rextended · October 24, 2025, 11:26am

(moved)

rextended · October 24, 2025, 11:26am

False...

@holvoetn I thought someone would add the link to my guide, but nothing...

holvoetn · October 24, 2025, 11:33am

Apologies, I did search for it but yours did not pop up.
Sorry about that.

rextended · October 24, 2025, 11:35am

I was kidding! All good

rextended · October 24, 2025, 11:37am

@sandro1992 It should rightly be remembered (as per link):

Caveats:
Obviously, every time you open the terminal from WebFig/Winbox,
or when you reboot the device upon reconnection,
it will ask for the password again and you must use a new... OTP...
BUT this is precisely the point of using 2FA, One Time Password, so that a password is only valid once...
(or at least the OTP are 1 milion numbers that not deterministically repeats at least every 347d 5h 20m valid for just 1m30s)

abbio90 · October 25, 2025, 4:14pm

You can do it with user manager. I use it for VPNs, password + Google auth.

rextended · October 27, 2025, 8:33am

@abbio90 Già scritto......... incluso la guida per farlo........

rextended · October 27, 2025, 8:35am

@sandro1992 News? Or is it just post & disappear?

CGGXANNX · October 29, 2025, 6:18pm

Could you also update your guide and add a big warning that the device must have NTP client properly setup and must be able to synchronize the time after boot before accepting logins? Many devices that MikroTik sell have no battery to keep a RTC running, and will have wrong date and time at boot. If left powered off for too long (a few minutes), without proper time synchronization, all the expected OTP codes will no longer match.

lurker888 · October 29, 2025, 8:25pm

This is only a related thing, but I was very pleased to see that v7.21beta2 introduced support for ed25519-sk ssh keys (keys requiring attestation through FIDO2, e.g. using a Yubikey.)

For me at least this solves this whole area of problems wonderfully. Combined with an ssh tunnel, which is available in all Windows and standard CLI implementations, this is easily used to secure winbox access.

Additionally, this doesn’t rely on the clock being correct. And additionally, ssh through its fingerprint verification protects against man-in-the-middle attacks, which winbox doesn’t do.

rextended · October 29, 2025, 10:26pm

Done, check if is ok...