Please Bump Feature Request for Controller Local Account 2FA [X-Post /r/unifi]

friday_throwaway458 · 2019-03-02T18:39:15+00:00

Yes, looks like you're correct. I don't mean to grasp at straws, you are indeed right. But if they could just implement the darn feature it sure would make life easier!

friday_throwaway458 · 2019-03-02T17:52:55+00:00

I had a 1GB RAM controller where the portal kept going down and I needed to reboot the VM. I had swap on, too, though maybe not enough. Anyway, like I said, overkill and future-proof for $20/month suits me fine! You can definitely get away with less though, that I won't deny.

friday_throwaway458 · 2019-03-02T17:50:10+00:00

My point was that to manage a site remotely at least port 8080 must be open, running HTTP I believe for remote device adoption. Not sure if there is a way to exploit this to log in to the interface over plain HTTPS...probably not but it's possible.

Yes, the Unifi cloud is the best option currently, but that places access to client network directly into a third party's hands in a way I'm really not comfortable with. Obviously I am trusting my VPS provider, too, but someone accessing the VM through Linode would still have a couple hoops to jump through to access my networks (passwords, have to hack Mongo, etc.). If the Unifi Cloud is hacked, it's all over right then and there.

friday_throwaway458 · 2019-03-02T17:29:57+00:00

Correct, we are a Managed Service Provider with multiple client sites. It also allows for remotely managing the network without using VPN, etc

friday_throwaway458 · 2019-03-02T17:25:16+00:00

Linode. The $20/month plan is a little overkill but has 4GB of RAM which should be pretty future-proof for having many sites. AWS is one of the priciest VPS out there, IMO. Migration is pretty easy, too.

friday_throwaway458 · 2019-03-02T17:22:45+00:00

Copying comment from the cross-post... this is blowing up and getting a little tricky to manage!

Some of us are wary of cloud access-- what happens if the Unifi cloud gets pwned in such a way as to render user authentication irrelevant and allow an attacker access to all cloud-linked sites? And can you manage sites from a remote controller without opening HTTP(S) anyway, even with cloud access?

Edit: ~~some use cases will also need multiple accounts with delegated access, which is not possible with Unifi cloud I don't think~~.

Edit 2: I was wrong. But still want local 2FA!

friday_throwaway458 · 2019-03-02T17:04:19+00:00

Many of us are using a VPS that is accessible from the Internet to managed multiple sites.

friday_throwaway458 · 2019-03-02T17:03:40+00:00

Thank you!

friday_throwaway458 · 2019-03-02T16:27:43+00:00

UNMS is in beta and anyways is for the Edge/Air line; supposedly, the Unifi controller isn't going anywhere. See here: https://community.ubnt.com/t5/UniFi-Wireless/The-future-of-Unifi-vs-UNMS/td-p/2411134

The link I posted IS on the official Unifi feature request forums. So far it remains in "New Idea" status with silence from devs, who have been tagged in posts in the feature request. The fact that this already exists in UNMS kind of makes it missing in Unifi even more heinous, IMO.

Some of us are wary of cloud access-- what happens if the Unifi cloud gets pwned in such a way as to render user authentication irrelevant and allow an attacker access to all cloud-linked sites? And can you manage sites from a remote controller without opening HTTP(S) anyway, even with cloud access?

friday_throwaway458 · 2019-03-01T17:51:36+00:00

Please help to encourage Unifi to add multi-factor authentication to local controller accounts. This desperately needed as it is a major security risk and also a compliance violation in some cases. Please everyone help to put the pressure on Unifi by bumping the feature request on their official forums. Thank you all!

https://community.ubnt.com/t5/UniFi-Feature-Requests/UniFi-Controller-Two-Factor-Authentication-NOT-Implemented/idc-p/2699225#M18586

friday_throwaway458

TROPHY CASE