Problem/Justification
When enabling 2FA for GUI admins, there is no option to download backup 2FA codes in case the selected Authenticator App loses the rotating 2FA code. In this case, it forces the administrator to plug in a monitor and keyboard to manually reset the root password and try again. However, after reading some forums it doesn’t seem that this completely fixes the problem and in some cases (at least in previous versions) the 2FA page still blocks access to the WebUI.
(I could be wrong because I didn’t dive too deep into this problem)
This feature request is to alllow GUI/Web portal admins to download static 2FA backup codes in case Authenticator App loses the rotating 2FA code.
Impact
Benefits:
- If the Web/GUI admin elects to enable 2FA for their instance, then the setup wizard will provide a .txt or .json file to download to the admin’s local machine that contains backup 2FA codes. This could be required or optional (up to the devs)
Drawbacks:
- If a user with nefarious intentions gets ahold of said generated codes, they could bypass the required 2FA input screen and access the Admin Web/GUI dashboard and make changes to cause all sorts of havoc.
- Nefarious users could attempt a brute-force attack to override the static 2FA backup codes and gain access to the Admin Web/GUI dashboard. In this case, other products/companies use a lockout algorithm so that after X incorrect inputs (this could be configurable), the entire system would be locked out. For the case of TrueNAS, maybe we could have a way to reset this in the terminal like how one resets the root password.
Impact:
- If an admin does NOT opt in to 2FA for login, this feature would not affect them, since in that case only a username and password will be required to gain access to the dashboard.
User Story
I personally manage 3 different instances of TrueNAS Community servers (stable v.25.04.1). When I set everything up, I create a folder on my local machine that includes all information (passwords, configuration details, etc) for future reference. I always opt-in for 2FA for login, and I have 3 sources that host the rotating 2FA code (Google Authenticator and 2x Yubikey 5 series). I personally doubt that I will ever lose my 2FA tokens, but that’s beside the point.
Within the folder that I hold all of the config information, I have no way to store the rotating 2FA tokens because, well, they rotate. So lets take the scenario that I somehow lose access to all three of my 2FA sources, and I only have my username and password to log in. I will be locked out of the GUI because there are no backup codes to bypass the 2FA login. In a way, yes this is good for a security standpoint, but even someone as paranoid as I about digital security have a limit to inconvenience.
My only workaround for this would be to store the generated line of text that the 2FA setup wizard provides (under the QR code) into my config files. This would allow me to re-setup my Authenticator App with rotating codes, although it defeats the point of rotating 2FA codes. This is not to mention the case where the authenticator setup code (and by extension the QR code) were to change.
However, if I were to download a list of bypass codes that I could use in the case that I am locked out, it could prove very useful in the event that I’d need to gain access again.
Suggestions for Implementation
Assuming that 2FA is enabled on the system…
- For every user that has privileges to log into the admin Web/GUI dashboard, they should each have their own set of backup codes
- During a lockout event, require the user to input more than 1 backup code to prevent brute-force attacks. Allow admins to modify how many are required in System > Advanced Settings > Global Two Factor Authentication (set the default to 2).
- Implement brute force prevention logic to do a “super-lockout” so there would be absolutely no way to log into the Web/GUI dashboard even with correct codes. In this event, passwords/2FA/backup codes will need to be reset in the local terminal
- If 2FA is enabled for SSH, and there is a lockout event, then login by SSH is disabled until manually re-enabled by the GUI (set up a notification to prompt the user to re-enable it). By extension, current sessions of SSH are automatically terminated.
- Allow admins to modify how many backup code input attempts in System > Advanced Settings > Global Two Factor Authentication (set the default to 10 or something)