Double Lock: Adding TOTP 2FA to Authelia Admin Portal

Securing the Admin Portal: A Two-Factor Authentication Setup Story

The borisovai-admin project had reached a critical milestone—the authentication layer was working. The developer had successfully deployed Authelia as the authentication gateway, and after weeks of configuration, the login system finally accepted credentials properly. But there was a problem: a production admin portal with single-factor authentication is like leaving the front door unlocked while keeping valuables inside.

The task was straightforward on paper but required careful execution in practice: implement two-factor authentication (2FA) to protect administrative access to admin.borisovai.tech and admin.borisovai.ru. This wasn’t optional security theater—it was essential infrastructure hardening.

The approach chosen was elegant in its simplicity. Rather than implementing a custom 2FA system, the developer leveraged Authelia’s built-in TOTP support (Time-based One-Time Password). This decision traded absolute flexibility for proven security and minimal maintenance overhead. The setup followed a clear sequence: navigate to the METHODS section in Authelia’s web interface, select One-Time Password, let Authelia generate a QR code, and scan it with a standard authenticator application—Google Authenticator, Authy, 1Password, or Bitwarden, take your pick.

The interesting part emerged during implementation. The notification system for TOTP registration was configured to use filesystem-based notifications rather than SMTP. This meant the registration link wasn’t emailed but instead written to /var/lib/authelia/notifications.txt on the server. It’s a pragmatic choice for development and staging environments where mail infrastructure might not be available, though it would require a different approach—likely SMTP configuration—before production deployment.

What made this particularly instructive was observing how authentication systems evolve. TOTP itself is decades old, originating from RFC 4226 (HOTP) in 2005 and standardized as RFC 6238 in 2011. Yet it remains one of the most reliable 2FA mechanisms precisely because it doesn’t depend on network connectivity or external services. The time-based variant has no server-side state to maintain—just a shared secret between the authenticator device and the server, generating synchronized six-digit codes every thirty seconds.

The developer’s approach also highlighted a common misconception: assuming that 2FA implementation requires building custom infrastructure. In reality, most modern authentication frameworks like Authelia ship with production-ready TOTP support out of the box, eliminating months of potential security auditing and vulnerability patching.

After the QR code was scanned and the six-digit verification code was entered, the system confirmed successful registration. The admin portal was now protected by a second authentication factor. The next phase would be ensuring the SMTP notification system is properly configured for production, so users receive their registration links via email rather than needing server-level file access.

The lesson stuck: security improvements don’t always require complexity. Sometimes they just need the right authentication framework and five minutes of configuration. 😄