Support for Aegis Authenticator - 2FA

SYSTEM INFORMATION
OS type and version Debian 12
Webmin version 2.202

Any way to add Aegis Authenticator for 2FA?
The only two options are Google and Authy.

I have big issues with Google Authenticator on all platform I used it on. Way too many times I get incorect code. The time is synced just fine.

I moved to Aegis and not even once did I get an incorrect code.
The only systems I did not moved to Aegis are Webmin/Virtualmin ones.

Anyone managed to setup this authenticator?

Looks like it uses TOTP, so it should Just Work, I think? Have you tried using the Google Authenticator option, but scanning a QR code in the Aegis app to see if it works?

If it does, we can probably update the language of the UI to indicate any TOTP authenticator would work (as I think it would, if I understand how it works).

Edit: Maybe I’m wrong, though. Our UI for this is clunky.

Seeing your reply, I tried adding via qr-code and it worked.
Tried to login 5 times and succedeed all 5 times 1st try. No more wrong OTP.
I was starting to be afraid to login in case I get locked out with Google Athenticator.

So it seems Aegis works just fine.
I have to mention that Aegis Authenticator is a free and open source app.

Indeed, the wording might use a refresh to indicate the user that other authenticators can be used also.

Thank you Joe.

1 Like

Cool, thanks for checking and following up!

I’ll see if @Jamie or @Ilia wants to tackle updating the GUI for 2FA. I think we want to say something like “TOTP (e.g. Google Authenticator)” and then Authy, which I think maybe uses a different protocol. But, maybe they all support TOTP and we don’t need to ask what kind of authenticator, since any one that supports TOTP should work.

And, yeah, I looked at Aegis, it looks really good! I don’t love Google Authenticator, either. The danged thing has to be manually refreshed or as you noticed it serves an old token.

2 Likes

Thanks, Joe! Ironically, we’ve already fixed this for the next, upcoming Webmin release! :blush: It came up before, and Jamie updated the UI just a few weeks ago:

@Jamie, now that it caused confusion for @inteq, I’m thinking the dropdown could instead say TOTP (e.g., Google Authenticator, Apple Codes, or Aegis Authenticator)


2 Likes

A dropdown with long options is hard to read. It would need to become radio buttons or similar, if it’s going to be a bunch of text.

I am happy with TOTP.

Maybe put a Wikipedia link or additional info in the tooltip, but if you don’t know these 4 letters then you should not be using it.

1 Like

I think neither. We shouldn’t create radios and “TOTP” isn’t good enough either.

@Jamie, I think we should change it to “TOTP App (Any)” or just “TOTP (Any)”.

How about “Any TOTP app” ?

1 Like

if TOTP is not selected, then TOTP (Any) is better because the first word read is TOTP which is more logical.

Also, is TOTP always done with an App?

Perhaps we shouldn’t display Authy option at all, as we discussed earlier? We could check if Authy is currently in use, and only then show the dropdown. For new installs, we should leave it out entirely, making TOTP the only option, while providing a clear explanation about TOTP — what it is and which applications are supported. I think this would be more beneficial.

However, this won’t work if we add new 2FAs in the future — but will we?

1 Like

What is this passkeys thing, is that some sort of 2FA?

Whatcha mean?

However, this won’t work if we add new 2FAs in the future — but will we?

Above you mentioned about adding more 2fa methods and I am not sure if passkeys is a 2fa method that might in the future need to get added.

It was just part of a conversation rather than a request😃

good question but I thought the use of “passkeys” was something that involved cookie authentication (in particular session cookies) revoking/renewal. something additional to MFA rather than alternative.

I could of course be misguided as well as out of touch. :older_man:

Authy supports TOTP, I believe. So, yeah, I think just drop mention of Authy, don’t special case it, and let it work the same way as everyone else.

Oh, but, any users who’d created the old Authy style thing (assuming it wasn’t TOTP, I don’t even know how we’re doing 2FA with Authy), they’d be locked out until getting a new TOTP token.

Yeah there are still users of the old Authy API, so I don’t want to drop support yet.

Also we may very well add other providers in future, like maybe Passkeys.

also there are these 2fa protocols:

  • OTP
  • HTOP
  • mOTP
  • U2F
  • WebAuthn
  • Yubikey

Obviously some of these are not popular and TOTP does the job.

To my surprises Microsoft Authenicator is TOTP too.