To increase the security of server system against malicious brute force hacking attempts, implementing two-factor authentication (2FA) is one of the effective solution. 2FA requires additional time-based One-Time Password (OTP) which known to legitimate users only when logging in.

Since Webmin 1.660, Webmin (and hence Virtualmin, Cloudwin and Usermin) has built-in support for two-factor authentication using either Google Authenticator (based on TOTP) or Authy. Authy is a popular commercial service that offers 2FA service, but it’s free is your usage is not high, i.e. you will not be charged if the usage per month is less than $3. Thus with the robust features, especially backup, Authy is the recommended way to implement 2FA in Webmin, Virtualmin and Usermin.

How to Enable Two-Factor Authentication in Webmin / Virtualmin / Usermin / Cloudmin

  1. Sign up or login and create a new application for the Webmin in Authy at https://www.authy.com/developers.
  2. Note down the Api Key for Production given for the app (viewable in Dashboard).
  3. Login to Webmin.
  4. Go to Webmin tab, if applicable.
  5. Expand Wemin category tree.
  6. Go to the Webmin Configuration module.
  7. Click on Two-Factor Authentication.

    Webmin Configuration - Two-Factor Authentication

  8. Select Authy as the authentication provider and enter the Authy API key.

    Webmin with Authy 2FA

  9. Click Save.
Note
You may be prompted to install the Authen::OATH Perl module if it’s not yet installed.

When Authy 2FA service is enabled in Webmin, it’s time to enroll, turn on and enforce 2FA for Webmin users.

How to Enroll and Enable Authy Two-Factor Authentication for Webmin Users

  1. Go to Webmin tab, if applicable.
  2. Expand Wemin category tree.
  3. Go to the Webmin Users module.
  4. To enroll yourself (currently logged in user), click on Two-Factor Authentication.

    To enable 2FA for another user, click on the username listed under “Webmin Users”. Then, expand the Security and limits options section and click the Enable Two-Factor For User button.

    Enable Webmin User to Enforce 2FA

  5. Enter your email address, cellphone country code and cellphone phone number of the user as per registered in Authy mobile app. If you never use Authy to retrieve the OTP (One Time Password) code before, download and register your Authy on your preferred device. Authy has apps for iOS, Android, Blackberry, Mac OS X, Windows (via Chrome) and Linux.

    Enter Authy User Details

    Note
    The email address and mobile phone number entered here is to be the same with what’s registered in Authy user account in order for him or her to open Authy app to generate and get the code. It’s different from Authy developer account which gives you the API key.
  6. Click the Enroll For Two-Factor Authentication button.

Confirm that 2FA is working on Webmin by logging out and trying to login again. The Webmin login page will ask for additional “Two-factor token” field, which must be entered for the login to successful. The code is a 7 digit number generated by the Authy app on your smartphone or computer.

When 2FA is enabled for a user, Webmin appends an asterisk to the end of user name.