- **status**: in-progress --> review - **Comment**: First pass of this is available in branch `db/8117`. There is some polish and email notifications I want to do for sure, and possibly some logic changes.
* you'll need to run `pip install -r requirements.txt` to get new packages (do this within docker, if using docker) * you'll need to run `python setup.py develop` in the Allura dir, for it to know of new TOTP entry points (again, within docker if using it) Overall I'm not super happy about using a session variable for `multifactor-username`, but we need some way to store the current partially-auth'd username and we can't just put it as a hidden form field or something like that since the client could change it. We could do an encrypted form field, which would have the benefit of not having to clear out the session var when you go to other pages (which is there so a partial login doesn't stay partially auth'd). But it would mean setting up a good encrypt/decrypt logic for the form field. Maybe worth it? --- ** [tickets:#8117] Implement core 2FA** **Status:** review **Milestone:** unreleased **Labels:** security **Created:** Mon Aug 15, 2016 03:54 PM UTC by Dave Brondsema **Last Updated:** Fri Aug 19, 2016 07:55 PM UTC **Owner:** Dave Brondsema This ticket is for the essential functionality for TOTP 2FA, separate tickets for other aspects Some details at http://mail-archives.apache.org/mod_mbox/allura-dev/201608.mbox/%3C28c7a399-86c5-5d75-dde4-2ab54fe7b3e4%40brondsema.net%3E --- Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.