This question may sound strange but it would improve acceptance of OTP a lot.
Is there a chance to use a whitelist of internal IP segment(s) where no OTP Auth is needed? For example: If the user is inside the company he should login normally just with his name+password. If he’s outside OTP should be mandantory.
Logical thinking, but what if your internal accounts were compromised, and attackers can easily access all the data. Better to keep it on for everyone. My 2 cents. You either need it or you don’t.
controversial point…
Yes, you can do this with pam_access.so. This recipe was taken from the wiki for the Google Authenticator:
A useful PAM recipe is to allow skipping two-factor authentication when the connection originates from certain sources. This is already supported by PAM. For example, the pam_access module can be used to check the source against local subnets:
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so
In this case, access-local.conf looks like:
There you have it.
Hello,
I am trying to enable two factor authentication for external ip addresses. Can you give me more detail about this procedure?
Thank you!
In general this is a bad idea as outlined by our security experts in https://github.com/nextcloud/server/issues/2035