1. Twingate

In testing a lot of the solutions today for remote access, I have settled on Twingate for secure remote access for home lab. It is really easy to setup and they have a free account which is great for home labs. With the free account, it is free for 5 users, you get the enterprise connectors, split tunneling, and conditional access policies.

Some may not like the fact that it is a paid solution with a proprietary cloud dashboard, but so far, this has not been a show stopper for me. The cloud dashboard actually makes it easier to manage from wherever you are and since it is free as part of the solution, this is an added bonus in my opinion.

Also, since you can spin up the connectors that you run on-premises using Docker, Raspberry Pi or many other options that are available. I have these spread out through my network on different devices, including:

• Running a connector on my Synology NAS.
• Running a connector on one of my Docker hosts.
• I have one also running in a dedicated virtual machine.
• A Raspberry Pi which I can plug into any network with an internet connection.

What is Twingate?

Twingate is more of a hybrid of VPN and proxy technology. Compared to traditional VPN solutions, it has a much more modern approach to segmentation, access control, and other features like zero-trust.

Reasons I use it:

• No open ports on my firewall – How? Well, the traffic is established from the connector so as long as it can egress, it can establish the tunnel
• Granular access control per user and device
• Easy to deploy on Docker, VMs, or Raspberry Pi
• Works great with dynamic IPs or CGNAT
• Built-in DNS resolution for internal services you may be hosting

Even when I am traveling, I can hit any internal service in my home lab. This includes Proxmox dashboard, pfSense, Netdata, Gitea, Portainer, etc, just like I was local on the LAN.

Twingate also lets me separate services. I can restrict certain resources to certain devices or accounts. This is perfect if I want to allow read-only access to others (or segment off something sensitive).

2. Tailscale mesh VPN built on Wireguard

One of the other very popular choices in this space is Tailscale. It is a mesh VPN that is built on Wireguard. Home labbers love the solution because it is dead simple. You install the agent on your devices, sign into it, and when you do, everything is connected with each other. Each device that is on the Tailscale network gets a private IP address in the 100.x.x.x range. Using this IP address, between devices, you can talk to other devices directly.

What makes Tailscale awesome to use:

• No port forwarding is required
• It works behind NAT, CGNAT, double NAT
• It supports ACLs, MagicDNS, subnet routers
• Free for up to 100 devices at this time

Tailscale is great if you want an always-on private network where your laptop, phone, Raspberry Pi, and server all “see” each other like they’re on the same LAN.

I’ve used Tailscale to:

• Connect remote machines together without hassle
• Connect to Home Assistant remotely
• Access Proxmox web GUI on my phone

It just works and the WireGuard-based performance is excellent. The main trade-off is that all devices must use Tailscale to communicate.

3. Plain WireGuard

For those that want a totally vanilla VPN solution, WireGuard is a great option. It’s the leanest, fastest VPN protocol out there. In fact many of the other solutions that we know and love are using Wireguard under the hood. And the great thing is that it is totally free and open-source.

You can use it to:

• Install it on Linux, routers, Docker containers
• Set up point-to-site or site-to-site tunnels
• Build roaming VPNs with static peers or dynamic endpoints

Why choose vanilla WireGuard:

• Full control over the config
• Zero cloud dependencies
• Extremely fast and secure
• Tiny footprint

WireGuard is the most “bare metal” of the solutions here. If you’re comfortable editing config files and managing keys, it’s rock solid. WG-Easy is a solution I have written about before that makes configuring Wireguard much easier.

4. Cloudflare Tunnel

If you have a web service that you want to make available over the public Internet but you want to do this securely, Cloudflare tunnel is probably the right tool to use. Instead of opening ports like we have always done through the firewall, Cloudflare tunnels has you run a lightweight agent inside your home network (much like Twingate) that establishes a websockets over HTTPS tunnel outbound.

The cool thing is Cloudflare Tunnel can connect more than just HTTP web servers. It can connect SSH servers, remote desktops, and other protocols. Your “origin” servers serve the traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare. It then handles all the incoming requests made and routes them back to your internal network service.

If you want to make a service accessible via the public Internet, Cloudflare Tunnel is probably the right tool.

Why it’s awesome to use:

• No open ports, no NAT config
• Built-in DDoS protection behind Cloudflare’s network
• Automatic SSL with Let’s Encrypt
• Supports access rules with Cloudflare Access

With Cloudflare Tunnel, you can expose a service like Gitea, Portainer, or Grafana at https://myapp.mydomain.com, but only allow access to certain users or IPs. You can even integrate it with identity providers like GitHub or Google.

I’ve used this to:

• Share dashboards with others
• Demos
• Access services from mobile without VPN connections
• Test webhooks or third-party integrations

Just remember, with Cloudflare tunnels, this is still exposing your service to the public, but through a heavily protected proxy. It’s better than port-forwarding, but not as private as Twingate or Tailscale.

Conclusion

Exposing your home lab to the Internet is sometimes a sledgehammer approach that can work to get your services out there quickly, but from a security perspective, it is not worth it. I have self-hosted a few things that I have exposed directly to the Internet with firewall rules and other hardening, but given enough time and persistence, attackers can find a way to get into a machine, especially for dangerous services like RDP, etc.

Since there are great tools available out there for secure remote access for home lab, this is why I stopped exposing my home lab entirely. The services we have covered are what I think are some of the best and each has its strong suite. Whatever tool you choose, stop punching holes in your firewall and start using one of these modern solutions.

If you’re struggling to keep track of your online passwords, you’re not alone. Almost everything you do on the internet beyond simple web browsing requires a login. Some people use easy-to-remember passwords, while others have one complex password for all their accounts. Neither option is recommended since they make it easy for identity thieves and other criminals to steal your credentials. A much better option is a password manager – but what are they, how do they work, and are they safe?

What is a password manager?

A password manager is software that helps users create strong passwords, store them in a digital vault protected by a single master password, and then retrieve them as needed when logging into accounts.

Should you use a password manager?

Using a password manager certainly offers benefits. Password leaks have become common – that is, when websites are hacked, and user data such as usernames and passwords fall into the hands of criminals. If hackers obtain your login credentials, they can try them on other websites. If you use the same credentials across multiple websites, then a leak of one website’s data could enable criminals to access all your online accounts. That is why it’s essential to use strong and unique passwords for each website. A strong password comprises at least 12 characters – ideally more – and is a mix of upper- and lower-case letters, numbers, and symbols. It also avoids obvious or commonly-known information about you, such as your date of birth or names of family members.

However, most of us have many online accounts – one 2020 study suggested the average internet user has around 100 – so keeping tracking of numerous, long, complex passwords become difficult. That’s where password managers come in – they simplify the process by generating secure, random passwords for you and remembering them, so you don’t have to. Ultimately, the only password you need to remember is for the password manager itself.

How does a password manager work?

There are various password managers on the market. Once you’ve decided which one is right for you, the first thing to do is set it up and protect it with a master password. You will be keeping all your passwords in one place – i.e., in your digital vault – and your master password will be your key to that vault. Since your master password encrypts the contents of your vault, the password you choose must be a strong one. It’s also important not to lose it – otherwise, you will need to reset the passwords for all your online accounts – so make sure it’s something you won’t forget. On mobile devices, some password managers allow access via fingerprint or face ID.

Once the password manager is installed, it will capture your username and passwords and save them in your digital vault whenever you log into an app or site. A good password manager should keep track of any changes made to usernames and passwords within the vault and offer to update the stored information for that website or app. Many password managers use auto-fill – that is, they automatically fill in your login credentials on websites and apps when you visit the relevant pages.

As well as saving time, the autofill function can help alert you to phishing – for example, if you find yourself on a site that resembles your normal banking site, but the form fields don’t automatically populate with your login information, it could be a sign that you’re on a phishing website with a different URL, potentially using a typo squatting domain.

Password managers don’t just remember password information either: most password managers will also remember your personal information, such as name, address, and credit card details, and autofill these where appropriate on web forms. This saves time when carrying out a transaction like online shopping. A good password manager will also store documents, medical records, and photos in an encrypted vault which only you can unlock.

When creating new accounts, a password manager will offer to generate a new secure random password for you, which saves the hassle of creating new passwords each time. Good password managers should also let you know if existing passwords are weak or have been compromised in a data breach.

One way that users can maximize the security of their password manager is by enabling multi-factor authentication (MFA) to their accounts. MFA means that unlocking your password manager requires something in addition to your master password. This might be a fingerprint, facial recognition, a code sent to a mobile authenticator app, or a hardware security key.

Once you have created your master password and set up multi-factor authentication on your account, you can make your password manager easier to use by installing a browser extension. A good password manager will offer extensions for popular browsers.

Are password managers safe?

Given the information they hold – all your passwords, contact details, credit card details, and potentially other important documents – it’s reasonable to ask, how safe are password managers, and are password managers secure?

Some password managers can be hacked. But in those cases, there’s an important caveat: the information contained within your password manager should be encrypted. Assuming your password manager uses industry-standard encryption such as Advanced Encryption Standard (AES), it should be almost impossible for criminals to decipher the contents. While each password manager offers different features, it is generally true to say that password managers are safe to use.

The password managers themselves do not store or access your master password or the encrypted information in your password database. This provides an additional layer of security. A key aspect of password manager security lies in the strength of your master password – so it’s essential to choose something strong (and to keep it safe).

Tips for choosing a password manager

Here are some useful tips on choosing the right password manager for you:

• Choose software that has strong encryption.
• Check for a lockout feature, which is helpful in case you forget your password.
• Should something go wrong, be prepared to understand how the vendor will reach out to help you — telephone, email, or chat.
• Check whether the software offers identity theft protection and whether it takes other measures to protect against other malicious behaviours.
• Be comfortable using the software. Look into the usability of any password manager you are considering and ensure you will be able to integrate it with whatever devices or browsers you typically use.
• Calculate the costs and benefits. A full-featured password management suite certainly brings the best value, but there are also free password manager applications that you can download as a trial to test your interest.

A word on browser-based password managers. Some web browsers have integrated password managers. These tend not to compare favourably with dedicated password managers since they usually store passwords on your computer in an unencrypted form. This means that, unless you encrypt your computer’s hard drive, people could access the password files on your computer and view them. In addition, some browser-based passwords don’t automatically generate random passwords, and they may not offer cross-platform syncing.

FAQs about password managers

How do password managers work?

Password managers store all your passwords in a digital encrypted vault. When using a password manager, when you visit websites, the password manager will auto-fill the appropriate login information for that website. This means that you don’t have to remember your username, password, and email address for each website – the password manager does it for you.

Why use a password manager?

It’s recommended to use strong, unique passwords for each site you log into. But most of us have numerous passwords, and keeping track of them can be difficult. A password manager simplifies the process by generating secure, random passwords and remembering them, so you don’t have to. Ultimately, the only password you need to remember is for the password manager itself. In addition, most password managers will allow you to store documents, medical records, and photos in an encrypted vault that only you can unlock.

How safe are cloud-based password managers?

Most cybersecurity experts agree that cloud-based password managers are safe to use and, in fact, are the most secure way to store your passwords. A password manager with AES-256 encryption – that is, military-grade encryption – is almost impossible to crack. A good password manager should operate from a zero-knowledge principle – that is, the software creator should not know anything at all about your data, nor should anyone else. In addition, the ability to enable multi-factor authentication (MFA) on your password manager provides an additional layer of security. No matter which password manager you choose, avoid accessing it on public networks because your data can still be captured at any time.

A password manager helps protect your data online

When used daily, password managers are a convenient solution that can help secure your most private and sensitive information on the internet. There are various password managers on the market, and it’s worth taking the time to find one that is right for you. The right password manager will help to protect your data online.

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.

2FA is implemented to better protect both a user’s credentials and the resources the user can access. It’s typically used as part of a broader effort to prevent data breaches and the potential loss of personal data.

Two-factor authentication adds an extra layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts. Even if the victim’s password is hacked, a password alone isn’t enough to pass the authentication check.

Two-factor authentication has long been a cybersecurity strategy to manage account security by controlling access to sensitive systems and data. Online service providers are increasingly using 2FA to protect users’ credentials from being used by hackers who stole a password database or used phishing attacks to obtain user passwords.

What are authentication factors?

There are several ways in which someone can be authenticated using more than one authentication method. Most authentication methods rely on knowledge factors, such as a traditional password. Two-factor authentication methods add either a possession factor or an inherence factor.

Authentication factors, listed in approximate order of adoption for computing, include the following:

• Knowledge factor. A knowledge factor is something the user knows, such as a password or a personal identification number (PIN).
• Possession factor. A possession factor is something the user has, such as an ID card, a security token, a mobile phone or a smartphone app, to approve authentication requests.
• Biometric factor. A biometric factor, also known as an inherence factor, is something inherent in the user’s physical self. It might be a personal attribute mapped from physical characteristics, such as fingerprints authenticated through a fingerprint reader. Other commonly used inherence factors include facial and voice recognition or behavioural biometrics, such as keystroke dynamics, gait or speech patterns.
• Location factor. A location factor is usually the location from which an authentication attempt is being made. Authentication attempts can be limited to specific devices in a particular location or the geographic source of an authentication attempt can be tracked based on the Internet Protocol address or some other geolocation information, such as Global Positioning System (GPS) data, derived from the user’s iPhone, Android phone or other mobile device.
• Time factor. A time factor restricts user authentication to a specific time window in which logging on is permitted and restricts access to the system outside of that window.

Most two-factor authentication methods rely on knowledge, possession and biometric authentication factors. Systems requiring greater security use multifactor authentication (MFA), which relies on additional independent credentials for more secure authentication.

How does two-factor authentication work?

Enabling two-factor authentication varies depending on the specific application or vendor. However, two-factor authentication processes involve the same general, multistep process:

1. The user is prompted to log in by the application or the website.
2. The user enters what they know, usually their username and password.
3. The site’s server finds a match and recognizes the user.
4. For processes that don’t require passwords, the website generates a unique security key for the user. The authentication tool processes the key and the site’s server validates it.
5. The site prompts the user to initiate the second login step. Although this step can take several forms, the user must prove that they have something only they would have, such as a biometric feature, security token, credit card, ID card, smartphone or other mobile device. This is the inherence or possession factor.
6. The user might have to enter a one-time passcode that was generated during Step 4.
7. After providing both factors, the user is authenticated and granted access to the application or website.

Two-factor authentication involves two of three potential authentication factors.

Elements of two-factor authentication

Two-factor authentication is a form of MFA. Technically, it’s in use any time two authentication factors are required to gain access to a system or service. However, using two factors from the same category doesn’t constitute 2FA. For example, requiring a password and a shared secret is still considered SFA as they both belong to the knowledge authentication factor type.

SFA that relies on usernames and passwords isn’t the most secure. One problem with password-based authentication is it requires knowledge and diligence to create and remember strong passwords. Passwords require protection from insider threats, such as carelessly stored sticky notes with login credentials and carelessly discarded hard drives. Passwords are also prey to external threats, such as hackers using brute-force, dictionary or rainbow table attacks as well as social engineering exploits.

Given enough time and resources, an attacker can usually breach password-based security systems and steal corporate data. Passwords have remained the most common form of SFA on laptops and other devices because of their low cost, ease of implementation and familiarity.

Multiple challenge-response authentication questions can provide more security depending on how they are implemented. Standalone biometric verification methods can also provide a more secure method of SFA.

Adaptive multifactor authentication introduces a gatekeeper element into the process. The authentication system has knowledge of specific characteristics or patterns associated with a specific user. The process of authenticating a user’s identify starts when a user interacts with the adaptive authenticator app. The app analyses the user’s known characteristics and behaviour – for example, how many prior access requests have been made or a time-based analysis of when the requests were made — to determine if a match can be made. Once a match is confirmed, the user proceeds to the next step in authentication or access process.

Types of two-factor authentication products

There are many different devices and services for implementing 2FA, from tokens to radio frequency identification cards to smartphone apps.

Two-factor authentication products make use of two basic features:

• Tokens that are given to users to use when logging in.
• Infrastructure or software that recognizes and authenticates access for users who are using their tokens correctly.

Authentication tokens can be physical devices, such as key fobs or smart cards, or software, such as mobile or desktop apps that generate PIN codes for authentication. These authentication codes are known as one-time passwords (OTPs). The authentication code is a short sequence linked to a particular device, user or account and can be used only once as part of an authentication process. Servers generate OTPs, and authentication devices or apps are used to recognize them as authentic.

Organizations need to deploy a system to accept, process, and allow or deny access to users authenticating with their tokens. These systems can be deployed in the form of server software or as a dedicated hardware server. Third-party vendors also provide authenticating services.

An important aspect of 2FA is ensuring the authenticated user is given access to all resources they’re approved for and only those resources. As a result, one key function of 2FA is linking the authentication system with an organization’s authentication data.

Microsoft, for instance, supports 2FA in Windows 10 using Windows Hello, a non-password option for Microsoft accounts. It also authenticates users through Microsoft Active Directory, Azure AD and the Fast Identity Online 2 authentication protocol.

Two-factor authentication for mobile devices

A trusted mobile device is one that a specific user controls and regularly uses for transactions requiring secure access. The authentication system knows the device and, with that knowledge, uses it to bypass steps in the authentication process. For instance, a trusted phone number can be used to receive verification codes by text message or automated phone call. A user must verify at least one trusted phone number to enrol in mobile 2FA.

Smartphones offer a variety of 2FA capabilities, enabling companies to use what works best for them. Some devices can recognize fingerprints, use the built-in camera for facial recognition or iris scanning, or use the microphone for voice recognition. Smartphones equipped with GPS can verify location as an additional factor. Voice or Short Message Service (SMS) can also be used as a channel for out-of-band authentication.

Apple iOS, Google Android and Windows 11 all have apps that support 2FA, enabling the phone to serve as the physical device to satisfy the possession factor. Platforms such as Cisco Duo, Microsoft Authenticator and RSA Security SecurID let customers use their trusted devices for 2FA. They establish that a user is trusted before verifying that the mobile device can also be trusted as an authentication factor.

Authenticator apps replace the need to obtain a verification code using text, voice call or email. For example, to access a website or web-based service that supports Google Authenticator, users type in their username and password as their knowledge factor. They are then prompted to enter a six-digit number. Instead of having to wait a few seconds to receive a text message, an authenticator generates the number for them. These numbers change every 30 seconds and are different for every login. By entering the correct number, users complete the verification process and prove possession of the correct device, which is their possession factor.

Authentication standards

The following are open standard authentication protocols that form the basis for different authentication tools that support 2FA:

• FIDO. The FIDO Alliance developed this open standard, which uses public key cryptography. It’s designed to eliminate the need for passwords, replacing them with phishing-resistant passkeys.
• OAuth 2.0. An abbreviation of open authorization, OAuth is an open standard that defines an authorization framework that protects system resources, such as files and applications. It provides authorization for application programming interfaces (APIs). It doesn’t support mobile applications.
• OpenID Connect (OIDC). Developed by the OpenID Foundation, OIDC adds layers to the OAuth 2.0 protocol that support authentication and identity management. It also supports mobile applications, APIs and browser-based apps.
• Security Assertion Markup Language (SAML). Developed by the Organization for the Advancement of Structured Information Standards, SAMLis an open standard for single sign-on access to browser-based applications such as web sites.

Push notifications for 2FA

A push notification is password less authentication that verifies a user by sending a notification directly to a secure app on the user’s device, alerting the user that an authentication attempt is happening. The user can view details of the authentication attempt and either approve or deny access, typically with a single tap. If the user approves the authentication request, the server receives that request and logs the user in to the web app.

Push notifications authenticate the user by confirming that the device — usually a mobile device — registered with the authentication system is in the user’s possession. If an attacker compromises the device, the push notifications are also compromised. Push notifications eliminate threats such as unauthorized access, social engineering and man-in-the-middle attacks.

While push notifications are more secure than other forms of authentication, there are security risks. For example, users can accidentally approve a fraudulent authentication request because they are used to tapping approve when they receive push notifications.

Is two-factor authentication secure?

Two-factor authentication improves security, but these systems are only as secure as their weakest component. For example, hardware tokens depend on the security of the issuer or manufacturer. One of the most high-profile cases of a compromised two-factor system occurred in 2011 when security company RSA reported its SecurID authentication tokens had been hacked.

The account recovery process in these systems can also be subverted when it’s used to defeat two-factor authentication. Recovery processes often reset a user’s current password and emails a temporary password to enable the user to log in again, bypassing the 2FA process. The business Gmail accounts of the chief executive of Cloudflare were hacked in this way.

Although SMS-based 2FA is inexpensive, easy to implement and considered user-friendly, it’s vulnerable to numerous attacks. The National Institute of Standards and Technology (NIST) has discouraged the use of SMS in 2FA services in its “Special Publication 800-63-3 (2023): Digital Identity Guidelines.” NIST concluded that OTPs sent via SMS text are too vulnerable due to mobile phone number portability attacks, attacks against the mobile phone network and malware that can be used to intercept or redirect text messages.

Future of authentication

Environments that require higher security are starting to use three-factor authentication. It typically involves possession of a physical token and a password used in conjunction with biometric data, such as fingerprint scans or voiceprints. Factors such as geolocation, type of device and time of day are also used to determine whether a user should be authenticated or blocked.

Other authentication factors emerging include behavioural biometric identifiers, such as a user’s keystroke length, typing speed and mouse movements. These are discreetly monitored in real time to provide continuous authentication instead of a single one-off authentication check during login.

Relying on passwords as the main method of authentication is common. But it often no longer offers the security or user experience that companies and their user’s demand. Even though legacy security tools, such as a password manager and MFA, attempt to deal with the problems of usernames and passwords, they depend on an essentially outdated architecture: the password database.

Consequently, many organizations are turning to password less authentication. Methods such as biometrics and secure protocols let users securely authenticate themselves in applications without having to enter passwords. For businesses, this means employees can access their work without passwords while IT still maintains control across every login. In addition, blockchain use has brought attention to decentralized identifiers and self-sovereign identity as an alternative to traditional authentication methods.