[ZBXNEXT-6876] Zabbix MFA Support Created: 2021 Aug 30  Updated: 2025 Jan 30  Resolved: 2024 Apr 03

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Frontend (F), Server (S)
Affects Version/s: 4.0.32, 5.0.15rc1, 5.4.3
Fix Version/s: 7.0.0beta2, 7.0 (plan)

Type: Change Request Priority: Minor
Reporter: Igor Gorbach (Inactive) Assignee: Elina Pulke
Resolution: Fixed Votes: 43
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2024-01-26-12-49-59-717.png     PNG File image-2024-01-26-12-51-53-046.png     PNG File image-2024-01-26-14-40-16-970.png     PNG File image-2024-01-26-14-43-05-149.png     PNG File image-2024-01-29-09-22-10-114.png     PNG File image-2024-02-26-15-50-52-851.png     PNG File image-2024-02-26-15-51-17-451.png     PNG File image-2024-02-27-14-38-25-488.png     PNG File image-2024-03-12-13-20-39-040.png     PNG File image-2024-03-14-14-21-14-684.png     PNG File screenshot-1.png     PNG File screenshot-2.png     PNG File screenshot-3.png     PNG File screenshot-4.png     PNG File screenshot-5.png     PNG File screenshot-6.png     PNG File screenshot-7.png     PNG File screenshot-8.png     PNG File screenshot-9.png    
Issue Links:
Causes
causes ZBXNEXT-9158 Cannot reset/update 2FA settings Reopened
causes ZBXNEXT-9159 2FA code is required every time even ... Reopened
causes ZBX-24603 User removal from MFA group must dele... Resolved
causes ZBX-24413 Can not use MFA with multiple logins Closed
Duplicate
is duplicated by ZBXNEXT-4966 Provide support for RFC 6238 Time-bas... Closed
is duplicated by ZBXNEXT-2606 Use Google 2 Factor Authentication Closed
is duplicated by ZBXNEXT-8748 2FA for 6.4.7 Closed
Sub-task
depends on ZBXNEXT-7690 enable capchta on zabbix Open
depends on ZBX-19918 The first visit of login page is logg... Closed
depends on ZBX-23663 Can't enable SAML without PHP LDAP ex... Closed
Epic Link: Zabbix 7.0
Team: Team C
Target end:
Sprint: Sprint 106 (Nov 2023), Sprint 107 (Dec 2023), S2401, S24-W6/7, S24-W8/9, S24-W10/11, S24-W12/13
Story Points: 16

 Description   

It would be great to create out-of-the-box Zabbix integration with Multi Factor Authentication provider or One Time Password service like Google Authenticator, DUO , Authy, etc.. to make Zabbix frontend authentication more secure

Example of fork implementation

Schema - Zabbix user connecting with LDAP or internal authentication to Frontend. After checking password - some one time password have generating with zabbix itself or with external provider usage. Zabbix user reiciving code by sms,e-mail, etc, put it into code requirementwindow in Frontend. Successful authentication

 Comments   
Comment by Marco Hofmann [ 2023 Jun 24 ]

Duplicate of my request ZBXNEXT-4966

Comment by patrik uytterhoeven [ 2023 Sep 02 ]

Actually the other ticket was from 2014 so this was the duplicate 

we lost 36 votes now and got 7 votes in place 

so now this feature has less chance to get implemented  soon unless we find a sponsor

Comment by Daniel Thorvil [ 2023 Sep 04 ]

Its 2023 and Zabbix does not have native MFA functionality

Comment by Hugo Santos [ 2023 Oct 20 ]

Hi to all,

hope that zabbix team consider to prioritize 2FA out of the box.

Wen i see this feature request priority marqued as minor,  make me think what kind of perspective is put on zabbix data security.

Really hope that someone on zabbix team can push this.

 

Best regards.

Comment by RoBo [ 2023 Oct 31 ]

We all want to have all our insights to be found in centralized Zabbix. But the gain is there also for hackers.
One of the most used attack vectors is based on valid credentials (at least in 2022 based on data from Cisco Talos). 

I was surprised not to find the most easy 2FA method (OTP standard like Google Authenticator is using) being implemented (yes there is a fork that adds this, but I think most of us don't want to become dependent on yet another party). As this is well-known code, I would guess that it would not take much effort to add this feature?

Comment by Alexei Vladishev [ 2023 Nov 13 ]

There is a great chance we will be able to include it into Zabbix 7.0, working on business level requirements currently.

Comment by J. van Stijn [ 2023 Nov 30 ]

+1

 

Can't believe how few votes this has gotten yet. I hope it will be added soon because hacking it in would be a nightmare. 

Comment by Łukasz Sęk [ 2024 Jan 17 ]

+1

I think it's worth adding MFA to Zabbix. I believe that Zabbix is ​​quite a critical place in the company's infrastructure, even though it does not have to be exposed to the Internet.

Comment by Dirk Steinkopf [ 2024 Feb 01 ]

Status resolved, Resolution unresolved 🧐

Comment by dimir [ 2024 Feb 02 ]

This is intended, the Resolution is set when the Status is Closed.

Comment by RoBo [ 2024 Feb 02 ]

Hmm, regarding previous 2 comments, it seems that some administrative work needs to be done

  • From the FixVersion it seems that this is implemented for new versions. Great a big thank you! We'll be surely going to use this.
  • ZBXNEXT-4966 is clearly a duplicate, but it's status is 'Open' and not linked as duplicate?
  • How is it possible that there are 3 dependencies, where 1 is still open? Then this one would not be a dependency I guess?
  • If this is implemented in new code, then the resolve status should not be Unresolved, but Resolved as it is implemented.

Just trying to assist in having clear communication towards the community...

Comment by dimir [ 2024 Feb 02 ]

Yes, we know ZBXNEXT-4966 is the original ticket but for some reason it was decided to take this one and start implementation using its reference number. I didn't want to close the ticket of starko because of the respect and votes. But at this point it looks like it brings more confusion so I'll close it.

Once again, the ticket has Status and Resolution. The latter is an additional information for some of the options of Status. Now "Resolved" Status has no additional information, it means the implementation is ready and now we are waiting for QA. What you are looking for is Status "Closed" and Resolution "Fixed". That would mean the issue is complete.

Comment by RoBo [ 2024 Feb 03 ]

Thanks for the info @dimir. I'm used within Jira to not see any Resolution value until the status become resolved or closed. Then this will prevent unlogic situation like status=resolved, with resolution=Unresolved. But anyway I understand your executed logic. Basically it's saying: "Don't look at the resolution until the status=Closed".

Comment by dimir [ 2024 Feb 05 ]

Correct, yeah. I have also seen it differently in other projects but this is how things are in this one.

Comment by Elina Pulke [ 2024 Mar 18 ]

Available in:

Comment by Arturs Dancis [ 2024 Mar 27 ]

Documentation (7.0) updated:

  • Introduction > What's new in Zabbix 7.0.0
  • Installation > Best practices > Web server (updated note)
  • Installation > Web interface installation (added curl as a pre-requisite)
  • Configuration > Users and user groups > User groups (updated configuration screenshot and parameters)
  • Web interface > Frontend sections > Users > Users (updated user list screenshot and mass editing options)
  • Web interface > Frontend sections > Users > Authentication (updated configuration screenshot and list of authentication methods)
    • HTTPLDAPSAML (updated configuration screenshots)
    • MFA (added new page)
Generated at Fri Mar 28 23:06:49 EET 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.