allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Brondsema <d...@brondsema.net>
Subject Multifactor authentication
Date Fri, 12 Aug 2016 20:17:59 GMT
I'd like to work on multifactor authentication soon.  I've done some thinking
about it already, and here's what I've got so far.

I reviewed several other sites to see how they use 2FA and put some screenshots
together of how I think it would work best: http://imgur.com/a/SDKHE

Standard two-factor authentication uses TOTP (time-based one-time password)
which is all based on a secret key shared between the server and your phone app
(via a QR code) and then validation codes match up based on the current time.
Many python libraries support this, but cryptography.io seems like the best
option.
https://cryptography.io/en/latest/hazmat/primitives/twofactor/#cryptography.hazmat.primitives.twofactor.totp.TOTP
 We'd want a plugin option for where to store the secret key: default to mongo,
so it "just works" for anyone running Allura, but other plugins to store on home
directories for example, so it works with other things (e.g that's where the PAM
module for TOTP stores keys).

A newer and stronger protocol is U2F which is hardware keys like those provided
by Yubikey.  Only Chrome works with this so far (and a Firefox plugin).  Google
and GitHub support this, not many others yet.  https://twofactorauth.org/ shows
who supports what.  U2F can be run as a standalone server (U2FVAL) but should
also be possible to embed into a python service with this lib
https://github.com/Yubico/python-u2flib-server  This would be nice to support,
but maybe as a second phase though.

Phone validation is an option too, and we have a PhoneService plugin.  However,
that is susceptible to hacks, like someone changing your phone number to a
different device, and then getting your verification codes.  Could be an option
though.  And a text message could be a handy way to send people a link to
install Google Authenticator or similar apps on their phone.

Backup recovery codes are completely separate from TOTP or U2F.  They are just
extra one-time use codes.  They should be stored securely with a hash and
removed after use. http://security.stackexchange.com/a/133010

At a project level (or neighborhood or system) it may be useful to show who
doesn't have 2FA enabled (e.g. GitHub does this).  There could also be an option
to require it.

Thoughts?  Suggestions?



-- 
Dave Brondsema : dave@brondsema.net
http://www.brondsema.net : personal
http://www.splike.com : programming
              <><

Mime
View raw message