allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Brondsema <>
Subject Re: Multifactor authentication
Date Mon, 15 Aug 2016 15:48:11 GMT
On 8/14/16 1:23 PM, Rohan Verma wrote:
> On Sat, Aug 13, 2016 at 1:47 AM, Dave Brondsema <> wrote:
>> I'd like to work on multifactor authentication soon.  I've done some
>> thinking
>> about it already, and here's what I've got so far.
>> I reviewed several other sites to see how they use 2FA and put some
>> screenshots
>> together of how I think it would work best:
>> Standard two-factor authentication uses TOTP (time-based one-time password)
>> which is all based on a secret key shared between the server and your
>> phone app
>> (via a QR code) and then validation codes match up based on the current
>> time.
>> Many python libraries support this, but seems like the
>> best
>> option.
>> twofactor/#cryptography.hazmat.primitives.twofactor.totp.TOTP
>>  We'd want a plugin option for where to store the secret key: default to
>> mongo,
>> so it "just works" for anyone running Allura, but other plugins to store
>> on home
>> directories for example, so it works with other things (e.g that's where
>> the PAM
>> module for TOTP stores keys).
>> A newer and stronger protocol is U2F which is hardware keys like those
>> provided
>> by Yubikey.  Only Chrome works with this so far (and a Firefox plugin).
>> Google
>> and GitHub support this, not many others yet.
>> shows
>> who supports what.  U2F can be run as a standalone server (U2FVAL) but
>> should
>> also be possible to embed into a python service with this lib
>>  This would be nice to
>> support,
>> but maybe as a second phase though.
> To test this, hardware will also be needed.
> I had bookmarked this page (
> a long time ago. It uses
> a Teensy LC for U2F key. Maybe this could be of use. Although you might be
> able to find a U2F key easily in the USA.

Cool, that's a neat option.

I bought a basic Yubikey recently.  They are available on Amazon and

>> Phone validation is an option too, and we have a PhoneService plugin.
>> However,
>> that is susceptible to hacks, like someone changing your phone number to a
>> different device, and then getting your verification codes.  Could be an
>> option
>> though.  And a text message could be a handy way to send people a link to
>> install Google Authenticator or similar apps on their phone.
>> Backup recovery codes are completely separate from TOTP or U2F.  They are
>> just
>> extra one-time use codes.  They should be stored securely with a hash and
>> removed after use.
>> At a project level (or neighborhood or system) it may be useful to show who
>> doesn't have 2FA enabled (e.g. GitHub does this).  There could also be an
>> option
>> to require it.
>> Thoughts?  Suggestions?
>> --
>> Dave Brondsema :
>> : personal
>> : programming
>>               <><

Dave Brondsema : : personal : programming

View raw message