1

I am trying to set up an authentication scheme for my wifi network for home with which I can have the user enter a constantly changing 4-6 digit code based on the time (Like what you see in the MFA apps). Simple old Two-factor Authenticator.

My plan is to have an easy way for people to login to the wifi network without having to deal with passwords, but still, be quite secure. I already have an Arduino that changes numbers on a LED lighting display which I can later sync to the changing numbers and a source which defines the current valid numbers based on the time

I am thinking about creating a Custom Captive Portal with which I can embed code to pull the current Two-factor Code.

The main problem I am having is how to get a captive portal either on the main router or an offshoot device where I can have the user enter the number and then have them whitelisted in the main network and have access to everything like the printers and TV.

At first, I was thinking about putting it on a raspberry pi but some people say that's a bad idea or just not feasible. After reading a lot, I am just confused now.

I mean I was looking for "consumer" grade routers like nighthawk level stuff, but none of them seem to support custom captive pages. I guess if I had that option from the main home router I could just build it into there.

Anyway in summary what I want the user to experience:

  1. Connect to network with Custom Captive Portal (which knows/can-pull current Two-factor Code)
  2. Enter the Two-Factor Code
  3. Have their mac address or device be white listed in the wifi router
  4. if Custom captive portal is on wifi router then (stay connected) else (automatically have device connect to wifi router)

How should I go about this?

Improve this question

1 Answer 1

Reset to default
1

This is going to be a somewhat complicated project. I'd suggest taking a look at OpenWRT https://openwrt.org/ they don't support TOTP based auth out of the box, (that I know of) but they do have captive portal as an add-in). So it is something you could do. They have plenty of supported hardware, as for hardware recommendations I only use Ubiquiti Network gear at this point.

All that said, you'll have one hell of a time making this all secure. And while I'm sure there IS a way to make this work as intended, and be secure. In the end it'll be more work/hassle than simply using a password. Captive portal networks are insecure by default. As connecting to a network without a password, as is required for Captive Portal, requires the wireless connection be unencrypted. For security after that, you could use an encrypted VPN but then you're back to choosing to leave all the network services (printers, etc) on an open network, or a complicated setup for users.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .