Exploiting (or abusing) password fields for Multi-Factor Authentication

March 31, 2023

I’ve recently been looking into how people add Multi-Factor
Authentication (MFA) to their OpenVPN systems, both using commercial
solutions and home grown ones. One of the things that makes this
difficult is that I believe the OpenVPN authentication protocol is
old fashioned enough that it doesn’t provide for multi-step
interaction. Instead, clients can send either or both of a TLS client
certificate and a username plus password pair to the server, and
the server gets to decide. However, common OpenVPN server software
allows you to plug in your own code to do the user and password
authentication, and so it turns out that people have used this
to add MFA.

The simpler approach is one taken b