It would be insteresting to have MFA in first login screen to prevent logon if ldap password is stolen. Maybe Radius is the most useful. FIDO u2f will be fine too.
Regards,
Would it help in a first step if we would put a Preboot Authentication?
Hi, Im the OP. If preboot is doing with a chain that changes along the time (TOTP, token hardware, etc), it will be great. Otherwise, with a fixed key, It’s better than nothing, but it could be related to the other request (Security: Boot password), as I understand, because it could be stolen too (for example, on a train trip. It doesnt have to be a sophisticated attack).
As far as I know lightdm/gdm has pam radius and fido integration, it could be a starting point.
We have passed this feedback to PM. They are evaluating it. I can’t promise it will get implemented sonish but at least they are looking at it!
in the meantime: https://videos.igelcommunity.com/how-to-use-igel-os-drive-encryption-video/