Configuring Two-Factor Authentication

A how-to for setting up and configuring Two-Factor Authentication in TrueNAS.

  3 minute read

Introduction

For increased security, two factor authentication is highly desirable. TrueNAS offers Two-Factor Authentication (2FA) to ensure that a compromised root password cannot be used by itself to gain access to the administrator interface. In order to utilize 2FA a mobile device that has Google Authenticator installed is required.

What is 2FA?

Two-Factor Authentication (2FA) is an extra layer of security that is added to your system to prevent someone from logging in, even if they have your password. This extra security measure requires you to verify your identity using a randomized 6-digit code that is re-generated every 30 seconds, unless the interval is modified, to use when you to log in.

Benefits and drawbacks of using in TrueNAS.

Some Benefits of 2FA.

  • 2FA provides an extra layer of security: By requiring a second form of identification 2FA decreases the probability that an a unauthorized user can gain access to the system. An unauthorized user won’t have the second element required to authenticate their login.

  • Increase productivity and flexibility: As the workforce becomes more mobile, employees can securely access systems from virtually any device or location-without putting sensitive information at risk.

Some Drawbacks (and a solution).

  • An app is required to access the generated 2FA Code.

  • If the the 2FA code isn’t working, or there is no access to the 2FA Password, the system is inaccessable through the UI and SSH (if that option has been set).

Note If the mobile device with the authenication app isn’t available there is a bypass as long an there is access to the system’s cli.

  • One Solution: To unlock 2FA in the cli type: midclt call auth.twofactor.update '{ "enabled":false }'

2FA Options.



User Settings.

  • One Time Password (OTP) Digits: The number of digits in the One-Time Password. The default value is 6, which is the length of the standard OTP from Google.

  • Interval: The lifespan (in seconds) of each One-Time Password. Default is 30 seconds. The minimum lifetime is 5 seconds.

  • Window: Use Window to extend the validity of passwords beyond the Interval setting. For example, a window setting of 1 means that one password before and after the current one is valid. leaving three valid passwords. Extending the window can be useful in high-latency situations.

  • Enable Two-Factor Auth for SSH : Enable two-factor authentication for SSH access to the system.

System Generated Settings.

The System Generated Settings are automatically generated by the system when the Save button is clicked based on the User Settings.

Enabling Two-Factor Authentication.

  • Go to the System menu and click on 2FA.

  • Click Enable Two Factor Authentication button and click the Save button.



  • Click the Confirm button.

Note: We strongly recommend that a second 2FA device is set up as a backup.



  • Click the Show QR button.



  • On the mobile device start Google Authentication and scan the QR code.

Logging in through the UI

  • On the TrueNAS Log out.

  • On the TrueNAS Log in.

  • Enter the code on the mobile device (complete without the space) in the login window along with the Username and Password.



Logging in through SSH.

  • Confirm that Enable Two-Factor Auth for SSH is checked in the 2FAb screen.

  • Confirm that Services->SSH is running and the Log in with root password is checked.

  • Open the Google Authentication app on your mobile device.

  • Open a Terminal window and SSh into the system using Username,Password, and the 2FA code from your mobile device.




Last modified January 4, 2021: Update twofactorauth.md (62c1e0fc)