MeshCentral is an open source web based remote computer management web site. MeshCentral is being deployed at an ever increasing rate with more computers being managed it’s important that it be done as securely as possible. Last week, the MeshAgent got TPM support for hardening of device identity, this week it’s the user’s turn to have improved authentication with support for Google Authenticator and compatible applications.
When logging into a web site, users are normally prompted for a username and password. This however can be a weak form of authentication. Especially for sites like MeshCentral that manage many computers, it’s important to authenticate users in the most secure way possible. One solution is RFC4226 and RFC6238 that standardize a way to transfer a pre-shared key to a user and compute a time limited token than is a second login factor. Google has a quick guide on 2 step authentication here which can be helpful.
Starting with MeshCentral v0.2.6-j there is now full support for 2-step login. This is an optional process and to get it setup, users will get a link or QR code that they scan into Google Authenticator. They then enter the current login token to make sure everything is ok and the account will have double protection. Each time a user logs into the web site after that, they are prompted for the username, password and login token. A new token is generated every 30 seconds, so it can’t be used for a long time.
Improving user authentication is an essential part of building and operating a security web site on the Internet. Enabling 2 step login should be an essential requirement of all Internet facing web sites and obviously, all users and system administrators should make use of it.