allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Brondsema <>
Subject Re: Multifactor authentication
Date Thu, 01 Sep 2016 21:00:19 GMT
If anyone wants to review or test it out what I have so far, that would be
great.  It's obviously important to make sure this is bug-free.  Take a look at (branch db/8117) which
includes all the core logic.  Recovery codes will be implemented soon.  My
coworker, Kenton, has looked over it, and he's a smart developer but not as
familiar with Allura yet.  (He is starting to make a couple contributions).

On 8/15/16 11:48 AM, Dave Brondsema wrote:
> On 8/14/16 1:23 PM, Rohan Verma wrote:
>> On Sat, Aug 13, 2016 at 1:47 AM, Dave Brondsema <> wrote:
>>> I'd like to work on multifactor authentication soon.  I've done some
>>> thinking
>>> about it already, and here's what I've got so far.
>>> I reviewed several other sites to see how they use 2FA and put some
>>> screenshots
>>> together of how I think it would work best:
>>> Standard two-factor authentication uses TOTP (time-based one-time password)
>>> which is all based on a secret key shared between the server and your
>>> phone app
>>> (via a QR code) and then validation codes match up based on the current
>>> time.
>>> Many python libraries support this, but seems like the
>>> best
>>> option.
>>> twofactor/#cryptography.hazmat.primitives.twofactor.totp.TOTP
>>>  We'd want a plugin option for where to store the secret key: default to
>>> mongo,
>>> so it "just works" for anyone running Allura, but other plugins to store
>>> on home
>>> directories for example, so it works with other things (e.g that's where
>>> the PAM
>>> module for TOTP stores keys).
>>> A newer and stronger protocol is U2F which is hardware keys like those
>>> provided
>>> by Yubikey.  Only Chrome works with this so far (and a Firefox plugin).
>>> Google
>>> and GitHub support this, not many others yet.
>>> shows
>>> who supports what.  U2F can be run as a standalone server (U2FVAL) but
>>> should
>>> also be possible to embed into a python service with this lib
>>>  This would be nice to
>>> support,
>>> but maybe as a second phase though.
>> To test this, hardware will also be needed.
>> I had bookmarked this page (
>> a long time ago. It uses
>> a Teensy LC for U2F key. Maybe this could be of use. Although you might be
>> able to find a U2F key easily in the USA.
> Cool, that's a neat option.
> I bought a basic Yubikey recently.  They are available on Amazon and
>>> Phone validation is an option too, and we have a PhoneService plugin.
>>> However,
>>> that is susceptible to hacks, like someone changing your phone number to a
>>> different device, and then getting your verification codes.  Could be an
>>> option
>>> though.  And a text message could be a handy way to send people a link to
>>> install Google Authenticator or similar apps on their phone.
>>> Backup recovery codes are completely separate from TOTP or U2F.  They are
>>> just
>>> extra one-time use codes.  They should be stored securely with a hash and
>>> removed after use.
>>> At a project level (or neighborhood or system) it may be useful to show who
>>> doesn't have 2FA enabled (e.g. GitHub does this).  There could also be an
>>> option
>>> to require it.
>>> Thoughts?  Suggestions?
>>> --
>>> Dave Brondsema :
>>> : personal
>>> : programming
>>>               <><

Dave Brondsema : : personal : programming

View raw message