Enable two factor authentication

Add an extra layer of security to your account

Why 2FA and which to choose?

The more devices you manage with RPort the more powerful the RPort server becomes. If an unauthorized person get access to it, this person might take over partial or full control over your infrastructure. Getting access to your machines via RDP or SSH always requires login credentials of the operating system. But if you have scripts and command enabled, full control might be possible from the RPort dashboard.

Enabling two-factor authentication is therefore recommended. It prevents unauthorized usage of the RPort server if you or your teammates use weak passwords or passwords are stolen.

With 2FA enabled, you will receive a one-time token after the regular log in.

The RPort server supports four two-factor-authentication methods

  1. Sending the second factor, a one-time-token, via email using an SMTP server.

  2. Handing over the token to a script, and you implement your own sending mechanism.

  3. Sending the token via the free push service Pushover.net. (required an app on your mobile)

  4. Using a rfc6238 one-time-token generate by standard apps like Google or Microsoft authenticator.

Using email is free of cost, but the protection is weaker compared to a push message. Think of a lost or stolen laptop. If the laptop is not fully encrypted, the wrongdoer will have access to RPort and the email account. The 2FA is useless. If you select push messages for 2FA the wrongdoer must get access to the laptop and the mobile phone. And nowadays, mobiles are protected biometrical, so accessing the token is not that easy.

Enabling 2FA and the method how token are sent, is a global setting. You can not enable or disabel 2FA per user. All users must use the same token delivery method.

  • 👉 Use push messages on mobile phones for 2FA (recommended)

  • 👉 Use email for 2FA

free two-factor sending service

Starting with rportd version 0.3 (late August 2021) all rport cloud installations have two-factor authentication via email enabled by default. Emails are sent via a free public service. This is good to start with a secure setup right from the beginning. The service comes without warranty or promised availability.

⚠️ If you plan to use RPort permanently and in a productive environment, stop using the free service. It's highly recommended using either your own SMTP server or switching to push messages.

Privacy notes

The free email service triggered by the script /usr/local/bin/2fa-sender.sh on your rport server submits the email and the token of the user over encrypted https to a web service operated by cloudradar GmbH. Email addresses are not used for any other purpose than dispatching the two-factor token. Email addresses are not stored.

Use the free service on manual installations

If you have installed your RPort server manually, and you want to use the free token service, create the script with the following content.

#!/bin/bash
# /usr/local/bin/2fa-sender.sh
#
# This is a script for sending two factor auth token via a free API provided by cloudradar GmbH
# Check https://kb.rport.io/install-the-rport-server/enable-two-factor-authentication
# and learn how to use your own SMTP server or alternative delivery methods
#
RESPONSE=$(curl -Ss https://free-2fa-sender.rport.io \
 -F email=${RPORT_2FA_SENDTO} \
 -F token=${RPORT_2FA_TOKEN} \
 -F ttl=${RPORT_2FA_TOKEN_TTL} \
 -F url=https://dnpefye735n8.users.rport.io 2>&1)
if echo $RESPONSE|grep -q "Message sent";then
    echo "Token sent via email"
    exit 0
else
    >&2 echo $RESPONSE
    exit 1
fi

In your rportd.conf insert the following lines to the [api] block.

two_fa_token_delivery = "/usr/local/bin/2fa-sender.sh"
two_fa_send_to_type = "email"

Last updated