[champtar]

u2f and webauthn require https (https://developer.mozilla.org/en-US/docs/Web/API/Web_Authent...), don't know if it accepts self signed certs and IPs instead of fqdn. Also the auth is locked to the host, so if you use IPs, changing IP means you need to remove 2fa first and re-enroll after. IMO just using a 60+ chars password stored in your password manager + moving the admin access in a separate vlan is simpler and enough.

[actualwitch]

Completely forgot that localhost is a special case for secure contexts... Yeah that would either just not work at all or require some tomfoolery with dynamic subdomains which I would not be comfortable with. TOTP would be the go-to then, I think. I agree about separate vlan though, I have a dedicated port without internet that can only talk to web ui for this reason.

[champtar]

Well TOTP need proper time sync, and most routers don't have battery in them

[actualwitch]

I haven't commonly experienced issues that would cause my router to lose access to ntp for extended periods of time, and in such cases you can just reset using physical button. Of course, TOTP should be optional to use so I am not too worried.