Add optional PIN entry field for two-factor authentication
There are really two big issues I have with the two factor authentication implementation. The first is that no where in the setup for the user is there any information or instruction as how to use two factor authentication. Every other two factor authentication that I have used has had a separate box for putting in the random code. I only learned about how to properly use two factor authentication after calling support and being informed that I needed to append the randomly generated code to the end of my password to which I say "Really! and you arn't going to inform the user of this anywhere!" Also the second issue I have is that there is if you set this up for the SuperUser accounts and somehow do not have access any longer to the authentication app there is no secondary recovery method outside of having another SuperAdmin account. There needs to be a recovery option such as email recovery of the authentication info when lost. Please Please Please fix this as I will have no end of user complaints on how to actually use this as its not user friendly at all!
Bill Bixby commented
I find it fairly common to append 2fa onto a password. That way users without 2fa requirements are actually less confused about a box that they don't need to fill in.
As for lockouts our environment wont allow admin of the device outside of a specific network. The admin don't require 2fa, because they can't admin from untrusted locations and only some of the users do where they have specific access.
Jesse S commented
I agree. The additional value in First screen, authenticate username/password, and then second screen provide 2FA, is that where remembering a device (via cookie or similar) to not prompt for 2fa in the future, you are able to make that check on submission and then skip it as needed.
I completely agree.
I wouldn't call Pin onto end of password standard, as most websites do not do it that way. Rather, that's a sort of hack that's been used with systems that needed to enable 2FA for various reasons (legal, compliance, etc etc) but were never designed with it in the first place (VPN, etc). Where a second screen is an option, I think that's a much better option.
Harrison Heck commented
I completely agree with this request. I've got multi-factor authentication enabled on every account that offers this feature (Facebook, Microsoft, Google, Dropbox, Etc.), and EVERY single one of them does in this fashion:
First Screen: Authenticate username and password
Second Screen: Provide 6 digit 2FA code.
This way if you get the username and password wrong, you'll never even get to enter the 2FA key. Provides the same security of not knowing if 2FA is enabled or not up front, with the added bonus of not confusing users.
I was lucky enough to even find this information out because someone complained about 2FA not working on the forums.
Appending the pin onto the end of the password is a fairly standard entry method, but I agree there could be some better documentation around its use.
Keep in mind that 2fa can be enabled selectively for various users, so adding a separate pin entry field could be equally confusing for users not enabled for two factor authentication. Also, as Yes indicates, showing a separate pin field when 2fa is enabled reveals information about the security settings of the device, which is not desirable to many users. While I somewhat agree with your points, I've renamed this feature request to make the subject more descriptive, and less opinionated.
As for locking admins being locked out of the web interface by enabling 2fa for webadmin access, there are some strategies you can use to minimize risk. First, you can currently generate a list of one-time use pins per user, that may be used if a user loses or forgets their phone. If you are using 2fa for webadmin access, I would recommend pre-generating these tokens, and storing one or two of them securely somewhere outside the UTM.
Alternately, create a separate account, which uses a very long and random password, which does not have 2fa enabled for it, and may be used in emergencies. Finally, our knowledgebase does have options on resetting passwords in the event of a lockout. If you have direct console access to your UTM, it is possible to recover access.
They don't have a 2nd box for security reasons. You should inform your users how to use it.