This is live on https://forge-allura.apache.org/ now if anyone wants to test it out for real :) I will also work on a site news post sooner or later, to promote this new feature of Allura.
On 8/12/16 4:17 PM, Dave Brondsema wrote: > I'd like to work on multifactor authentication soon. I've done some thinking > about it already, and here's what I've got so far. > > I reviewed several other sites to see how they use 2FA and put some > screenshots > together of how I think it would work best: http://imgur.com/a/SDKHE > > Standard two-factor authentication uses TOTP (time-based one-time password) > which is all based on a secret key shared between the server and your phone > app > (via a QR code) and then validation codes match up based on the current time. > Many python libraries support this, but cryptography.io seems like the best > option. > https://cryptography.io/en/latest/hazmat/primitives/twofactor/#cryptography.hazmat.primitives.twofactor.totp.TOTP > We'd want a plugin option for where to store the secret key: default to > mongo, > so it "just works" for anyone running Allura, but other plugins to store on > home > directories for example, so it works with other things (e.g that's where the > PAM > module for TOTP stores keys). > > A newer and stronger protocol is U2F which is hardware keys like those > provided > by Yubikey. Only Chrome works with this so far (and a Firefox plugin). > Google > and GitHub support this, not many others yet. https://twofactorauth.org/ > shows > who supports what. U2F can be run as a standalone server (U2FVAL) but should > also be possible to embed into a python service with this lib > https://github.com/Yubico/python-u2flib-server This would be nice to support, > but maybe as a second phase though. > > Phone validation is an option too, and we have a PhoneService plugin. > However, > that is susceptible to hacks, like someone changing your phone number to a > different device, and then getting your verification codes. Could be an > option > though. And a text message could be a handy way to send people a link to > install Google Authenticator or similar apps on their phone. > > Backup recovery codes are completely separate from TOTP or U2F. They are just > extra one-time use codes. They should be stored securely with a hash and > removed after use. http://security.stackexchange.com/a/133010 > > At a project level (or neighborhood or system) it may be useful to show who > doesn't have 2FA enabled (e.g. GitHub does this). There could also be an > option > to require it. > > Thoughts? Suggestions? > > > -- Dave Brondsema : d...@brondsema.net http://www.brondsema.net : personal http://www.splike.com : programming <><
