On Thu, Sep 15, 2016 at 11:44 PM, Dave Brondsema <d...@brondsema.net> wrote:
> On 9/15/16 2:10 PM, Rohan Verma wrote: > > On Thu, Sep 15, 2016 at 8:47 PM, Dave Brondsema <d...@brondsema.net> > wrote: > > > >> This is live on https://forge-allura.apache.org/ now if anyone wants to > >> test it > >> out for real :) I will also work on a site news post sooner or later, > to > >> promote this new feature of Allura. > >> > >> Works fine for me and looks good as well. +1 > > > > Since, I am unable to work on code due to coursework at the moment I > would > > like to volunteer for writing the post on the site along with a small > > tutorial this weekend if that is okay with you? > > Great, thanks! > Have sent an MR for the post at [1]. [1]: https://forge-allura.apache.org/p/allura/website/merge-requests/2/ > > > > > >> On 8/12/16 4:17 PM, Dave Brondsema wrote: > >>> I'd like to work on multifactor authentication soon. I've done some > >> thinking > >>> about it already, and here's what I've got so far. > >>> > >>> I reviewed several other sites to see how they use 2FA and put some > >> screenshots > >>> together of how I think it would work best: http://imgur.com/a/SDKHE > >>> > >>> Standard two-factor authentication uses TOTP (time-based one-time > >> password) > >>> which is all based on a secret key shared between the server and your > >> phone app > >>> (via a QR code) and then validation codes match up based on the current > >> time. > >>> Many python libraries support this, but cryptography.io seems like the > >> best > >>> option. > >>> https://cryptography.io/en/latest/hazmat/primitives/ > >> twofactor/#cryptography.hazmat.primitives.twofactor.totp.TOTP > >>> We'd want a plugin option for where to store the secret key: default > to > >> mongo, > >>> so it "just works" for anyone running Allura, but other plugins to > store > >> on home > >>> directories for example, so it works with other things (e.g that's > where > >> the PAM > >>> module for TOTP stores keys). > >>> > >>> A newer and stronger protocol is U2F which is hardware keys like those > >> provided > >>> by Yubikey. Only Chrome works with this so far (and a Firefox plugin). > >> Google > >>> and GitHub support this, not many others yet. > >> https://twofactorauth.org/ shows > >>> who supports what. U2F can be run as a standalone server (U2FVAL) but > >> should > >>> also be possible to embed into a python service with this lib > >>> https://github.com/Yubico/python-u2flib-server This would be nice to > >> support, > >>> but maybe as a second phase though. > >>> > >>> Phone validation is an option too, and we have a PhoneService plugin. > >> However, > >>> that is susceptible to hacks, like someone changing your phone number > to > >> a > >>> different device, and then getting your verification codes. Could be > an > >> option > >>> though. And a text message could be a handy way to send people a link > to > >>> install Google Authenticator or similar apps on their phone. > >>> > >>> Backup recovery codes are completely separate from TOTP or U2F. They > >> are just > >>> extra one-time use codes. They should be stored securely with a hash > and > >>> removed after use. http://security.stackexchange.com/a/133010 > >>> > >>> At a project level (or neighborhood or system) it may be useful to show > >> who > >>> doesn't have 2FA enabled (e.g. GitHub does this). There could also be > >> an option > >>> to require it. > >>> > >>> Thoughts? Suggestions? > >>> > >>> > >>> > >> > >> > >> > >> -- > >> Dave Brondsema : d...@brondsema.net > >> http://www.brondsema.net : personal > >> http://www.splike.com : programming > >> <>< > >> > > > > > > > > > > -- > Dave Brondsema : d...@brondsema.net > http://www.brondsema.net : personal > http://www.splike.com : programming > <>< > -- Sincerely Rohan Verma he...@rohanverma.net
