On 9/15/16 2:10 PM, Rohan Verma wrote: > On Thu, Sep 15, 2016 at 8:47 PM, Dave Brondsema <d...@brondsema.net> wrote: > >> This is live on https://forge-allura.apache.org/ now if anyone wants to >> test it >> out for real :) I will also work on a site news post sooner or later, to >> promote this new feature of Allura. >> >> Works fine for me and looks good as well. +1 > > Since, I am unable to work on code due to coursework at the moment I would > like to volunteer for writing the post on the site along with a small > tutorial this weekend if that is okay with you?
Great, thanks! > > >> On 8/12/16 4:17 PM, Dave Brondsema wrote: >>> I'd like to work on multifactor authentication soon. I've done some >> thinking >>> about it already, and here's what I've got so far. >>> >>> I reviewed several other sites to see how they use 2FA and put some >> screenshots >>> together of how I think it would work best: http://imgur.com/a/SDKHE >>> >>> Standard two-factor authentication uses TOTP (time-based one-time >> password) >>> which is all based on a secret key shared between the server and your >> phone app >>> (via a QR code) and then validation codes match up based on the current >> time. >>> Many python libraries support this, but cryptography.io seems like the >> best >>> option. >>> https://cryptography.io/en/latest/hazmat/primitives/ >> twofactor/#cryptography.hazmat.primitives.twofactor.totp.TOTP >>> We'd want a plugin option for where to store the secret key: default to >> mongo, >>> so it "just works" for anyone running Allura, but other plugins to store >> on home >>> directories for example, so it works with other things (e.g that's where >> the PAM >>> module for TOTP stores keys). >>> >>> A newer and stronger protocol is U2F which is hardware keys like those >> provided >>> by Yubikey. Only Chrome works with this so far (and a Firefox plugin). >> Google >>> and GitHub support this, not many others yet. >> https://twofactorauth.org/ shows >>> who supports what. U2F can be run as a standalone server (U2FVAL) but >> should >>> also be possible to embed into a python service with this lib >>> https://github.com/Yubico/python-u2flib-server This would be nice to >> support, >>> but maybe as a second phase though. >>> >>> Phone validation is an option too, and we have a PhoneService plugin. >> However, >>> that is susceptible to hacks, like someone changing your phone number to >> a >>> different device, and then getting your verification codes. Could be an >> option >>> though. And a text message could be a handy way to send people a link to >>> install Google Authenticator or similar apps on their phone. >>> >>> Backup recovery codes are completely separate from TOTP or U2F. They >> are just >>> extra one-time use codes. They should be stored securely with a hash and >>> removed after use. http://security.stackexchange.com/a/133010 >>> >>> At a project level (or neighborhood or system) it may be useful to show >> who >>> doesn't have 2FA enabled (e.g. GitHub does this). There could also be >> an option >>> to require it. >>> >>> Thoughts? Suggestions? >>> >>> >>> >> >> >> >> -- >> Dave Brondsema : d...@brondsema.net >> http://www.brondsema.net : personal >> http://www.splike.com : programming >> <>< >> > > > -- Dave Brondsema : d...@brondsema.net http://www.brondsema.net : personal http://www.splike.com : programming <><
