Dearest OMV team,
I was looking to info on enabling MFA on the OMV web console and came across this thread (Multi-factor Authentication for the Web Admin Console) from last year which stated that the team didn't believe MFA is necessary since the console should not be internet facing. This logic doesn't hold up compared to the number of businesses who protect their internal privileged accounts, backups, and access to sensitive data such as cardholder data in PCI environments with MFA. Single-factor passwords are not enough to protect against GPU farms brute-forcing 20 character passwords. Additionally, it is standard operating procedure for threat-actors looking to deploy ransomware to target and destroy internal/not public-facing backups prior to infection to ensure the victims pay the ransom.
I would greatly appreciate if the OMV team reconsidered this. I personally have authy synced with pam/google-authenticator library for ssh access to all of my internal linux systems that will never see the public internet.
Thank you for you great work.