(408) 943-4100               V   Commercial Support

2FA (Two-Factor Authentication)

  4 minute read.

Last Modified 2021-03-04 08:31 EST

For increased security, two-factor authentication is highly desirable. TrueNAS offers Two-Factor Authentication (2FA) to ensure that a compromised administrator (root) password cannot be used by itself to gain access to the administrator interface. In order to utilize 2FA a mobile device that has Google Authenticator installed is required.

Two-Factor Authentication (2FA) is an extra layer of security that is added to your system to prevent someone from logging in, even if they have your password. This extra security measure requires you to verify your identity using a randomized 6-digit code that is re-generated every 30 seconds, unless the interval is modified, to use when you to log in.

Benefits

  • 2FA provides an extra layer of security: By requiring a second form of identification 2FA decreases the probability that an a unauthorized user can gain access to the system. An unauthorized user won’t have the second element required to authenticate their login.

  • Increase productivity and flexibility: As the workforce becomes more mobile, employees can securely access systems from virtually any device or location-without putting sensitive information at risk.

Drawbacks

  • An app is required to access the generated 2FA Code.

  • If the the 2FA code isn’t working, or there is no access to the 2FA Password, the system is inaccessable through the UI and SSH (if that option has been set).

    When the mobile device with the authenication app isn’t available, access the system CLI to bypass 2FA. This requires administrative IPMI or physical access to the system.

To unlock 2FA in the cli, enter: midclt call auth.twofactor.update ‘{ "enabled":false }'

2FA Options

System2FAEnable

Two-factor authentication is time-based and requires that the system time is set correctly.

User Settings

NameDescription
One Time Passsword (OTP) DigitsThe number of digits in the One-Time Password. The default value is 6, which is the length of the standard OTP from Google. Check the settings of your app or device before selecting this.
IntervalThe lifespan (in seconds) of each One-Time Password. Default is 30 seconds. The minimum lifetime is 5 seconds.
WindowUse Window to extend the validity of passwords beyond the Interval setting. For example, a window setting of 1 means that one password before and after the current one is valid. leaving three valid passwords. Extending the window can be useful in high-latency situations. IMPORTANT: Two-factor authentication is time-based and requires that the system time is set correctly.
Enable Two-Factor Auth for SSHEnable two-factor authentication for SSH access to the system. It is recommended to leave this DISABLED until after two-factor authentication is successfully tested with the UI.

System Generated Settings

NameDescription
Secret (Read Only)The secret used to generate OTPs. The secret is produced by the system when Two-Factor Authentication is first activated.
Provisioning URI (includes Secret - Read Only)The URI used to provision an OTP. The URI (which contains the secret) is encoded in a QR Code. To set up an OTP app like Google Authenticator, use the app to scan the QR code or enter the secret manually into the app. The URI is produced by the system when Two-Factor Authentication is first activated.

Enabling Two-Factor Authentication.

Set up a second 2FA device as a backup before proceeding.
  • Go to System > 2FA.

  • Click Enable Two Factor Authentication and Save.

System2FAOptionsNoSSH

  • Click Confirm.

  • Click Show QR.

System2FAQRCode

  • On the mobile device start Google Authentication and scan the QR code.

Using 2FA to Log in to TrueNAS

Enabling 2FA changes the log in process for both the TrueNAS web interface and SSH logins:

  • Log out of TrueNAS and back in.
  • Enter the code on the mobile device (complete without the space) in the login window with the root Username and Password.

Login2FA

  • Confirm that Enable Two-Factor Auth for SSH is set in System > 2FA.

  • Go to Services > SSH and edit the service. Set Log in with root password and SAVE. Toggle the SSH service and wait for the status to show that it is Running.

  • Open the Google Authentication app on your mobile device.

  • Open a Terminal window and SSH into the system using the system hostname or IP address, root account username and password, and the 2FA code from the mobile device.

    SSHConnect2FA