The more devices you manage with RPort the more powerful the RPort server becomes. If an unauthorized person get access to it, this person might take over partial or full control over your infrastructure. Getting access to your machines via RDP or SSH always requires login credentials of the operating system. But if you have scripts and command enabled, full control might be possible from the RPort dashboard.
Enabling two-factor authentication is therefore recommended. It prevents unauthorized usage of the RPort server if you or your teammates use weak passwords or passwords are stolen.
With 2FA enabled, you will receive a one-time token after the regular log in. The token is sent either by email or by a push message to your mobile.
Using email is free of cost, but the protection is weaker compared to a push message. Think of a lost or stolen laptop. If the laptop is not fully encrypted, the wrongdoer will have access to RPort and the email account. The 2FA is useless. If you select push messages for 2FA the wrongdoer must get access to the laptop and the mobile phone. And nowadays, mobiles are protected biometrical, so accessing the token is not that easy.
👉 Use push messages on mobile phones for 2FA (recommended)
👉 Use email for 2FA
Starting with rportd version 0.3 (late August 2021) all rport cloud installations have two-factor authentication via email enabled by default. Emails are sent via a free public service. This is good to start with a secure setup right from the beginning. The service comes without warranty or promised availability.
⚠️ If you plan to use RPort permanently and in a productive environment, stop using the free service. It's highly recommended using either your own SMTP server or switching to push messages.
The free email service triggered by the script
/usr/local/bin/2fa-sender.sh on your rport server submits the email and the token of the user over encrypted https to a web service operated by cloudradar GmbH. Email addresses are not used for any other purpose than dispatching the two-factor token. Email addresses are not stored.