If anyone wants to review or test it out what I have so far, that would be great. It's obviously important to make sure this is bug-free. Take a look at https://forge-allura.apache.org/p/allura/tickets/8117/ (branch db/8117) which includes all the core logic. Recovery codes will be implemented soon. My coworker, Kenton, has looked over it, and he's a smart developer but not as familiar with Allura yet. (He is starting to make a couple contributions).
On 8/15/16 11:48 AM, Dave Brondsema wrote: > On 8/14/16 1:23 PM, Rohan Verma wrote: >> On Sat, Aug 13, 2016 at 1:47 AM, Dave Brondsema <d...@brondsema.net> wrote: >> >>> I'd like to work on multifactor authentication soon. I've done some >>> thinking >>> about it already, and here's what I've got so far. >>> >>> I reviewed several other sites to see how they use 2FA and put some >>> screenshots >>> together of how I think it would work best: http://imgur.com/a/SDKHE >>> >>> Standard two-factor authentication uses TOTP (time-based one-time password) >>> which is all based on a secret key shared between the server and your >>> phone app >>> (via a QR code) and then validation codes match up based on the current >>> time. >>> Many python libraries support this, but cryptography.io seems like the >>> best >>> option. >>> https://cryptography.io/en/latest/hazmat/primitives/ >>> twofactor/#cryptography.hazmat.primitives.twofactor.totp.TOTP >>> We'd want a plugin option for where to store the secret key: default to >>> mongo, >>> so it "just works" for anyone running Allura, but other plugins to store >>> on home >>> directories for example, so it works with other things (e.g that's where >>> the PAM >>> module for TOTP stores keys). >>> >>> A newer and stronger protocol is U2F which is hardware keys like those >>> provided >>> by Yubikey. Only Chrome works with this so far (and a Firefox plugin). >>> Google >>> and GitHub support this, not many others yet. https://twofactorauth.org/ >>> shows >>> who supports what. U2F can be run as a standalone server (U2FVAL) but >>> should >>> also be possible to embed into a python service with this lib >>> https://github.com/Yubico/python-u2flib-server This would be nice to >>> support, >>> but maybe as a second phase though. >>> >> >> To test this, hardware will also be needed. >> >> I had bookmarked this page ( >> http://tinyhack.com/2015/11/08/teensy-lc-u2f-key/) a long time ago. It uses >> a Teensy LC for U2F key. Maybe this could be of use. Although you might be >> able to find a U2F key easily in the USA. >> > > Cool, that's a neat option. > > I bought a basic Yubikey recently. They are available on Amazon and > yubico.com > >> >>> >>> Phone validation is an option too, and we have a PhoneService plugin. >>> However, >>> that is susceptible to hacks, like someone changing your phone number to a >>> different device, and then getting your verification codes. Could be an >>> option >>> though. And a text message could be a handy way to send people a link to >>> install Google Authenticator or similar apps on their phone. >>> >>> Backup recovery codes are completely separate from TOTP or U2F. They are >>> just >>> extra one-time use codes. They should be stored securely with a hash and >>> removed after use. http://security.stackexchange.com/a/133010 >>> >>> At a project level (or neighborhood or system) it may be useful to show who >>> doesn't have 2FA enabled (e.g. GitHub does this). There could also be an >>> option >>> to require it. >>> >>> Thoughts? Suggestions? >>> >>> >>> >>> -- >>> Dave Brondsema : d...@brondsema.net >>> http://www.brondsema.net : personal >>> http://www.splike.com : programming >>> <>< >>> >> >> >> > > > -- Dave Brondsema : d...@brondsema.net http://www.brondsema.net : personal http://www.splike.com : programming <><
