Page 1 of 1

[FEATURE REQUEST] Two Factor Authentication

Posted: Wed Oct 03, 2012 3:28 am
by artie11
I've been trying to implement two factor everywhere and found the lowest common denominator that's safe is the Google Authenticator
It's safe, secure and completely offline. It doesn't use any proprietary anything and would be a perfect fit...

All you'd need is a module for login and the ability for us to set the secret not just use a random one.. That way all the servers I need can be on the same Secret and I won't need 50 different codes.

Attached is a bunch of implementations - If it can be done in JS i'm sure we can get a mikrotik module

Here's the code for the apps - https://code.google.com/p/google-authenticator/
Hers's a JS implementation - http://blog.tinisles.com/2011/10/google ... avascript/
Linux PAM Module install - http://www.howtogeek.com/121650/how-to- ... ntication/

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Mon Oct 08, 2012 5:51 am
by artie11
You realise that most sites are getting serious about this sort of security... Currently you could do this through an external Radius solution...

But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Sun Oct 14, 2012 9:36 pm
by NetworkPro
I can see how this can be useful. I am with you buddy.

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Sat May 25, 2013 12:03 pm
by jsmelley
What is the current status of this request? Has it been implemented or has anyone figured out how to implement the use of this for SSL connections? I too am looking for a good two factor, OTP solution.


James

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Tue Jun 04, 2013 3:14 am
by brotherdust
Sorry if this seems a non-sequitur, but I thought I would share some experiences I've had with OATH (the standard GAuth works on). I implemented OATH TOTP and HOTP in Ruby for fun a while ago, but never published the code. Anyway, I have a hypothesis that the scripting capabilities embedded into RouterOS could have the facilities to implement OATH. I've not done any research on it yet. Anyway, if it were possible to implement it, you'd be most of the way there. I don't know if it's possible, however, to hook into the auth process on the router. Just some stream-of-consciousness ramblings..

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Mon Sep 30, 2013 12:17 pm
by Netguy
I cannot imagine Mikrotik not implementing this.
It is good, easy and free.

I am looking forward to seeing GoogleAuthenticator-support in the next upgrade ;)

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Sat Feb 08, 2014 11:09 am
by vdm
I would really like to see this, so I can use it in addition to ssh client certificates. Gmail has trained people how to use it.

Duo is another open source option. It works great on Cisco ASAs and Active Directory already.

https://www.duosecurity.com/docs/duounix

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Mon Feb 10, 2014 4:15 pm
by shiny
I am using http://www.yubico.com/ for 2FA on several places, including some linux machines. Works good.

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Sat Feb 15, 2014 10:14 pm
by hvdhelm
MultiOTP is a very nice freeware solution. Radius based, full support for Google Authenticator, OATH TOTP and HOTP.

Recently they have released a Raspberri Pi image.

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Thu Oct 09, 2014 1:20 am
by michaeleino
Hey all!
Is there a hope to implemet this feature ??? is this possible ?

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Sun Oct 12, 2014 12:04 pm
by jaykay2342
2 factor auth would be nice. We also using the yubikey on a lot off systems. Even for VPN(ovpn) with radius authentication. Unfortunately for the http(s) logins the radius-authrequest does not include the cleartext password, therefore the radius server can split up the password into the actual password part and the yubikey token part. Otherwise we would have already a two factor auth for our routers. If mikrotik change such behavior i offer to write a tutorial how to setup a two factor auth with freeradius+yubikey.

Re: [FEATURE REQUEST] Two Factor Authentication / Google Aut

Posted: Wed Jan 21, 2015 1:55 am
by TheLittleDuke
What would it take to get this on "sooner than later" roadmap?

In particular I'd like to see Google Auth support for the WebFig Login interface.

Is there a "bounty" that could be raised?

Let me know, I'm willing to chip in to see this implemented asap.

-dvd

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Wed Jan 21, 2015 11:49 am
by hedele
I can only see a slight problem with the Google Authenticator bit... since the one-time codes are derived from clock time, there's going to be trouble when your Routerboard reboots and fails to sync clock time with NTP afterwards as no RB has a battery-buffered RTC included, leading to you being unable to log in as the time on the devices doesn't match.

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Thu Jan 22, 2015 12:48 pm
by awacenter
You realise that most sites are getting serious about this sort of security... Currently you could do this through an external Radius solution...

But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..
Really you have troubles because of Mikrotik security policies? There are lots of strategies, think about using SSL certificates fro users.
Another issue is why 802.1x is not implemented in wired interfaces by Mikrotik.

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Sat Jan 24, 2015 2:29 am
by jkarras
Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding on Google Auth to FreeRADIUS is pretty simple way to get this done today.

I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Sat Jan 24, 2015 2:53 am
by TheLittleDuke
Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding on Google Auth to FreeRADIUS is pretty simple way to get this done today.
Defense in Depth. I'm not going to add in a Radius server to manage my home router remotely :p

Even the SSHD should have a 2FA option.

The clock issue mentioned above is clearly problematic, though I wonder what NTP/USB/Battery options are available?

Quick search finds this: http://www.keylok.com/product/fortress-real-time-clock

A possible smart implementation could just detect the power fail and allow for an option to disable the Google Auth as a fail-safe mode.

For what it's worth, Google Auth does provide you with a set of "backup auth" codes that you can use in the event of clock skew.

You can ALSO deploy it in "counter mode" which doesn't rely on the clock.
I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.
So what? Why "race to the bottom" when this could be a compelling differentiator!

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Sat Jan 24, 2015 3:41 am
by jkarras
My reason for pointing out the other vendors was only to answer the others above who said other vendors supported two-factor.

Good point on the single home router. Anything past one device would increase the administration quite a bit as there would be one entry in the app for every router. Centrally controlled is one entry to update.

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Mon Jan 25, 2016 10:53 pm
by ericholtzclaw
2FA can be done easy with https://duo.com/support/documentation/radius Proxy to Radius. (you need a server)

What MikroTik should do is add in support for Duo and become the proxy + Radius with less moving parts.

Duo has a lot of mobile apps baked with a lot of password managers.


Eric

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Thu Jan 28, 2016 1:29 am
by Zorro
yeah, lack of EAPOL and 802.1x-2010 support on Wired interfaces is serious issue.
i guess its cause aged kernel used in past days, initially ?

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Thu Jun 23, 2016 3:30 am
by artie11
Surely after nearly 4 Years since my Initial Request... It has to have been at least discussed at Mikrotik....

Can we get an official answer on this... 6.5k views on this thread, Can't be because it's a terrible idea.

At this point in time... not having 2F Login to the Tiks has become a serious issue... Especially with the number of Publicly facing CCRs i have.
I'm resistant to putting in a radius with 2F Just for logins, as this has significant admin overhead... not to mention we have hundreds of CPE tiks around Australia, I've never been a fan of Remote radius over the internet...

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Thu Jun 23, 2016 7:27 am
by jkarras
  1. Why are you allowing the general Internet to get to the management interfaces of your devices? This should all be ACLd off except to known good ranges you connect from or all be done via VPN.
  2. There are ways to encrypt the unencrypted portions of the RADIUS datagram. One example would be an encrypted GRE tunnel, or just standard IPSEC (no tunnel mode).
  3. Admin overhead for adding RADIUS is only at initial config then the mgmt is far less than individually managing credentials on n devices. The settings can easily just be added to your initial setup template. That's what we do. Then there is only one place to go to change and update credentials instead of 1(n) devices to make changes on.
  4. As stated in point 3 management of 2 factor on discrete devices without RADIUS is a 1n operation instead of a single change on a single authentication server (or config synced cluster). With RADIUS you could roll out 2FA today to all your remote devices with a single change in an afternoon instead of touching 1n devices that are remote and possibly making a mistake in configuring a couple of them along the way.

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Fri Jun 24, 2016 6:49 am
by artie11
Are you saying there is no merit to increasing local access security for a device which is used everywhere from DC,Wisp all the way down to Home and Travel routers, You must think about use cases other than your own.

Just because it can be done via Radius, Doesn't mean it should, and it doesn't negate the benefits of adding such a very simple mechanism in scenarios where Radius would be overkill.

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Fri Jun 24, 2016 7:33 am
by jkarras
I am just saying that in all cases it's very low on the priority list of things that will give them a competitive advantage because there are already multiple solutions that will give your desired outcome (RADIUS, SSH keys, site-to-site VPN, and remote access VPN via OTP or client certificate based logins to name a few). The lack of this feature is not making Mikrotik loose sales to anyone and it probably won't gain any converts if they did have it. The solutions mentioned in this and previous posts will work too secure management logins (with and without RADIUS) for even the home/travel router with equal or greater benefits to 2FA.

Items like connection tracking sync, config sync, better management VRF support, fully isolated MPLS support, MSTP, and others are currently causing people to purchase other vendors when otherwise Mikrotik would work fine.

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Thu Jun 18, 2020 7:30 am
by jerryroy1
OK, so going on eight years since initial request and it should be past time that 2FA works with MT and google Auth or Duo. Can anyone share a working 2FA MT solution? Please sanitize and send config examples :)

Re: [FEATURE REQUEST] Two Factor Authentication

Posted: Thu Jun 18, 2020 7:57 am
by normis
Here is also something with a MikroTik documentation guide straight up on their main page (I think it's free for up to 25 users)
https://www.notakey.com/products/