How to enable 2FA on admin login screen?
Hi @Hans4711
Node-RED doesn't have built-in support for 2FA.
It is possible to configure Node-RED to use a 3rd party authentication service via OAuth/OpenID - which may themselves support 2FA.
https://nodered.org/docs/user-guide/runtime/securing-node-red#oauthopenid-based-authentication
1 Like
Hi @knolleary,
yes, saw this here in doc page.
Any chance to implement Google 2FA Autenticator in near / middle future?
Google Autenticator APP (Android / Iphone) is quite common and has a simple process.
That should not be built into Node-RED in my opinion. It would add complexity to an already complex system and it simply isn't needed.
The best place to do strong security is outside of Node-RED such that Node-RED's endpoints cannot be reached unless authentication has already happened. This has been discussed and documented many times. Either use a suitable cloud service such as Cloudflare Zero Trust or equivalent or use your own proxy service with an authentication extension.
2 Likes
from my prospective any kind of middleware (that is what I use NR for) is a sensible part of any IT infrastructure. Hoping DMS is "secure" and user & pw authentification is secure become more and more a old vision. Sure my NR is not accessieble from outside, but having also "inside" an 2fa for NodeRed to autentificat is an good feather for sure.
What you mean with complexity? I mean 2fa only for the admin login, not more.
Well, if you do 2FA, you need a mechanism to distribute QR Codes or keys. To delete them. To enroll...
Relying on an external service that has already, all of this makes, for me, quite a lot of sense.
Typically, a tool like authelia (https://www.authelia.com/) can do that really well. And if you look at authelia's code, it is far away from "simple".
1 Like
Even if it is only made available for 1 single endpoint (e.g. the Editor), the complexity would be the same. Managing 2FA/MFA is a specialist requirement. Node-RED is a generalist tool.
Doing 2FA correctly is not a trivial exercise. Doing it via a cloud service is also not trivial. At least doing it right and securely is not trivial. And given that such services are constantly under attack, they need regular updates and maintenance. Building that into Node-RED would require Node-RED to be updated more often, sometimes at short notice. Not something easy to achieve for an open source tool.
As such updates happen, any security proof's or certifications might also need to be updated.
Continuing to add specialist functions into the core of a general tool - particularly for security - is an anti-pattern that should generally be avoided. Someone has to maintain the code, everyone who uses the feature has to make sure it is configured securely. All of that is a distraction from what Node-RED does really well.
There are better alternatives. Indeed, security is generally best done in layers and tools such as NGINX have battle-tested authentication extensions. With the added advantage that, should you want to extend the security to other endpoints or move to a new authentication scheme, Node-RED would not have to change.
I forgot to add previously that the Node-RED auth schemes also allow ExpressJS Passport schemes to be used. You might well find something with 2FA in those. But external will always be better overall.
3 Likes
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
