Enhance Router remote access security with 2FA authentication.

This article explains the process for setting up an additional two-factor authentication (2FA) security for logging in remotely to the router's WAN interface.   Once implemented, gaining access to the router's management page remotely will require not only the administrator's password but also an Authentication code sent to a specific phone number or email address. 

DrayOS 4 Router

N.B: (2FA only supported on WAN interface; not applied to the LAN interface) 

1. Setting the choice of message

SMS Message 

To send the Authentication Code via SMS, create an SMS service profile at Objects Setting >> SMS / Mail Service Object >> SMS Provider page.

Email Message

To send the Auth Code via email, create a Mail Service profile at Objects Setting >> SMS / Mail Service Object >> Mail Server page.

2. Amend the Administrator's Password Setup

Go to the Administrator's Password page via System Maintenance >> Administrator Password Setup page.

1. Enable "Use only advanced authentication method for the Administrators' “WAN”'  login

2. Choose 2-Step Authentication

3. Check SMS, Mail, or both, depending on which method you would like to use to receive the authentication code

4. Click OK to save

3. When you now access the router's management page from the internet, you will need to click ‘Get Code’ and then enter the code sent to you either by email or SMS, whichever you’ve set up.  

DrayOS 5 Router

N.B: (2FA applies to both the WAN and LAN interfaces)

Email Message 

1. Go to ‘Configuration/ Notification Services/SMTP Server Page and edit the ‘Default_Email_Profile’ on the Vigour 2136 in this example

1. Switch On Enabled to activate the profile

2. Select the WAN interface through which the email will be sent

3. Enter the SMTP server’s IP or domain name and the SMTP port

4. Enter the Sender Address

5. Select the Connection Security that the SMTP server uses

6. Enter the email account’s username and password for the SMTP server’s authentication

2. Verify the SMS settings by entering the recipient's email address in the ‘Send Test Email’ field and clicking the ‘Send Test Message’ button.  The router will display the ‘Send Status’ and should indicate ‘SUCCESS’ for a successful setup.  If the status shows ‘FAILED’, check the setting.  An idea would be to compare it to a working email client. 

3. Check that the recipient has received the ‘Test Email’ 

4. Enter default email address information for the Administrator’s account by editing the admin profile: ‘System Maintenance/Account & Permission’. Switch on and enable the email address. 

5.  Switch on Enable MFA and select ‘Email’ as the allowed MFA method 

6.  Test it out.  Browse to the Vigour Router’s web address and enter the Administrator’s user name and password.

The enabled MFA methods are  listed, select email and click ‘Next’ 

The Vigour router will send a six-digit code to the named Administrator’s email address.

The Administrator should receive a time-critical code in an email.  

Paste the code into the box and press ‘Verify’ to gain access.

SMS Message 

Navigate to ‘Configuration/ Notifications and Services/ SMS Provider and add a new Profile.  The example uses a ‘Customised Service Provider’ option to send the Authentication code via Telegram.  Refer to Daytek’s article ‘Register for a telegram bot account’ for instructions on how to create an account and get a bot token.

1. Give a name for this profile.

2. Switch on Enabled to enable it.

3. Select the WAN interface from which the SMS connection will be created

4. Select Customised for the Service Provider

5. Enter the SMS Provider API URL

Different supplies may have different API standards, but for Telegram, it's:

https://api.telegram.org/bot[your telegram bot token]/sendMessage?chat_id=&text=