I'd like to work on multifactor authentication soon. I've done some thinking about it already, and here's what I've got so far.
I reviewed several other sites to see how they use 2FA and put some screenshots together of how I think it would work best: http://imgur.com/a/SDKHE Standard two-factor authentication uses TOTP (time-based one-time password) which is all based on a secret key shared between the server and your phone app (via a QR code) and then validation codes match up based on the current time. Many python libraries support this, but cryptography.io seems like the best option. https://cryptography.io/en/latest/hazmat/primitives/twofactor/#cryptography.hazmat.primitives.twofactor.totp.TOTP We'd want a plugin option for where to store the secret key: default to mongo, so it "just works" for anyone running Allura, but other plugins to store on home directories for example, so it works with other things (e.g that's where the PAM module for TOTP stores keys). A newer and stronger protocol is U2F which is hardware keys like those provided by Yubikey. Only Chrome works with this so far (and a Firefox plugin). Google and GitHub support this, not many others yet. https://twofactorauth.org/ shows who supports what. U2F can be run as a standalone server (U2FVAL) but should also be possible to embed into a python service with this lib https://github.com/Yubico/python-u2flib-server This would be nice to support, but maybe as a second phase though. Phone validation is an option too, and we have a PhoneService plugin. However, that is susceptible to hacks, like someone changing your phone number to a different device, and then getting your verification codes. Could be an option though. And a text message could be a handy way to send people a link to install Google Authenticator or similar apps on their phone. Backup recovery codes are completely separate from TOTP or U2F. They are just extra one-time use codes. They should be stored securely with a hash and removed after use. http://security.stackexchange.com/a/133010 At a project level (or neighborhood or system) it may be useful to show who doesn't have 2FA enabled (e.g. GitHub does this). There could also be an option to require it. Thoughts? Suggestions? -- Dave Brondsema : [email protected] http://www.brondsema.net : personal http://www.splike.com : programming <><
