On Thu, Sep 15, 2016 at 11:44 PM, Dave Brondsema <d...@brondsema.net> wrote:

> On 9/15/16 2:10 PM, Rohan Verma wrote:
> > On Thu, Sep 15, 2016 at 8:47 PM, Dave Brondsema <d...@brondsema.net>
> wrote:
> >
> >> This is live on https://forge-allura.apache.org/ now if anyone wants to
> >> test it
> >> out for real :)  I will also work on a site news post sooner or later,
> to
> >> promote this new feature of Allura.
> >>
> >> Works fine for me and looks good as well. +1
> >
> > Since, I am unable to work on code due to coursework at the moment I
> would
> > like to volunteer for writing the post on the site along with a small
> > tutorial this weekend if that is okay with you?
>
> Great, thanks!
>

Have sent an MR for the post at [1].

[1]: https://forge-allura.apache.org/p/allura/website/merge-requests/2/


> >
> >
> >> On 8/12/16 4:17 PM, Dave Brondsema wrote:
> >>> I'd like to work on multifactor authentication soon.  I've done some
> >> thinking
> >>> about it already, and here's what I've got so far.
> >>>
> >>> I reviewed several other sites to see how they use 2FA and put some
> >> screenshots
> >>> together of how I think it would work best: http://imgur.com/a/SDKHE
> >>>
> >>> Standard two-factor authentication uses TOTP (time-based one-time
> >> password)
> >>> which is all based on a secret key shared between the server and your
> >> phone app
> >>> (via a QR code) and then validation codes match up based on the current
> >> time.
> >>> Many python libraries support this, but cryptography.io seems like the
> >> best
> >>> option.
> >>> https://cryptography.io/en/latest/hazmat/primitives/
> >> twofactor/#cryptography.hazmat.primitives.twofactor.totp.TOTP
> >>>  We'd want a plugin option for where to store the secret key: default
> to
> >> mongo,
> >>> so it "just works" for anyone running Allura, but other plugins to
> store
> >> on home
> >>> directories for example, so it works with other things (e.g that's
> where
> >> the PAM
> >>> module for TOTP stores keys).
> >>>
> >>> A newer and stronger protocol is U2F which is hardware keys like those
> >> provided
> >>> by Yubikey.  Only Chrome works with this so far (and a Firefox plugin).
> >> Google
> >>> and GitHub support this, not many others yet.
> >> https://twofactorauth.org/ shows
> >>> who supports what.  U2F can be run as a standalone server (U2FVAL) but
> >> should
> >>> also be possible to embed into a python service with this lib
> >>> https://github.com/Yubico/python-u2flib-server  This would be nice to
> >> support,
> >>> but maybe as a second phase though.
> >>>
> >>> Phone validation is an option too, and we have a PhoneService plugin.
> >> However,
> >>> that is susceptible to hacks, like someone changing your phone number
> to
> >> a
> >>> different device, and then getting your verification codes.  Could be
> an
> >> option
> >>> though.  And a text message could be a handy way to send people a link
> to
> >>> install Google Authenticator or similar apps on their phone.
> >>>
> >>> Backup recovery codes are completely separate from TOTP or U2F.  They
> >> are just
> >>> extra one-time use codes.  They should be stored securely with a hash
> and
> >>> removed after use. http://security.stackexchange.com/a/133010
> >>>
> >>> At a project level (or neighborhood or system) it may be useful to show
> >> who
> >>> doesn't have 2FA enabled (e.g. GitHub does this).  There could also be
> >> an option
> >>> to require it.
> >>>
> >>> Thoughts?  Suggestions?
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >> --
> >> Dave Brondsema : d...@brondsema.net
> >> http://www.brondsema.net : personal
> >> http://www.splike.com : programming
> >>               <><
> >>
> >
> >
> >
>
>
>
> --
> Dave Brondsema : d...@brondsema.net
> http://www.brondsema.net : personal
> http://www.splike.com : programming
>               <><
>



-- 
Sincerely
Rohan Verma
he...@rohanverma.net

Reply via email to