Use push on mobile for 2FA

Use the Pushover app to receive one-time tokens

PreviousEnable two factor authentication NextUse TOTP

Last updated 1 year ago

Use push on mobile for 2FA

Use the Pushover app to receive one-time tokens

Use push messages for 2FA

RPort supports sending one-time tokens to mobile phones via . Pushover is a very tiny and versatile app available for and .

By creating a custom script you can send the token via any delivery method. This enables you to use Telegram or other messengers too.

You can use the app free for 30 days and after that trial it costs ~€6,00. This is a one-time payment. Receiving messages is free.

Install the app on your mobile and create your account. Or go to pushover and create your account there. Each person who wants to receive tokens on the mobile need its own Pushover account.

With a Pushover account, you are allowed to receive and to send messages. Only receiving is enabled by default. To set up the 2FA you need to enable sending too. This must be done only by one person, typically the main administrator of the RPort server.

Create your account and generate a token

Go to https://pushover.net and log in to your account (top-right corner). The credentials are the same on the mobile and on the web.

Scroll down to "Your Applications" and create a "new application/API Token". This enables sending messages.

Enable message sending by creating an application

Enter RPort as the name of the application and confirm the terms. A token is displayed. This is your sender token.

a user key, that is for receiving messages
And an application API token, that is for sending messages.

Test your key and token

Log in to your rport server via SSH and execute the following test command. You should receive a push message almost instantly on your mobile.

API_TOKEN=<APPLICATION_API_TOKEN>
USER_KEY=<YOUR_PERSONAL_KEY>
curl -s \
  --form-string "token=${API_TOKEN}" \
  --form-string "user=${USER_KEY}" \
  --form-string "message=hello world" \
  --form-string "title=Just a test" \
  https://api.pushover.net/1/messages.json

If the test message was sent successfully, proceed to the next step. If not, double-check you are using the right key and token.

Activate 2FA on the rport server

Open the configuration file /etc/rport/rportd.conf with an editor. Scroll down to the where two-factor is configured, and add the following lines.

two_fa_token_delivery = 'pushover'
two_fa_token_ttl_seconds = 600

Scroll further down to the [pushover] section and enter your API token and one user key. Restart the rport server with systemctl restart rportd.

The user key is only used to verify the pushover connection on server start. No messages will be sent to this user key. User keys for sending the one-time token are configured per user. Entering the key of one user is harmless because the key doesn't provide access to the user account or any other personal data.

If the server refuses to start, execute the following command to see what's going wrong.

su - rport -s /bin/bash -c "rportd -c /etc/rport/rportd.conf"

If the server is running after you made the above changes – check with systemctl status rportd – enter at least one pushover user key to the database.

DB_FILE=/var/lib/rport/auth.db
USER_KEY=<YOUR_KEY>
cat <<EOF|sqlite3 $DB_FILE
UPDATE users SET two_fa_send_to="$USER_KEY" WHERE username="admin";
EOF

This will update the user key of the user admin. The keys of all other users can be updated via the web UI. Changing the database doesn't require a server restart.

Try to log in with your username and password. A message "Verify it's you" should appear, and your mobile should ring.