allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Brondsema <>
Subject Re: Multifactor authentication
Date Thu, 15 Sep 2016 15:17:33 GMT
This is live on now if anyone wants to test it
out for real :)  I will also work on a site news post sooner or later, to
promote this new feature of Allura.

On 8/12/16 4:17 PM, Dave Brondsema wrote:
> I'd like to work on multifactor authentication soon.  I've done some thinking
> about it already, and here's what I've got so far.
> I reviewed several other sites to see how they use 2FA and put some screenshots
> together of how I think it would work best:
> Standard two-factor authentication uses TOTP (time-based one-time password)
> which is all based on a secret key shared between the server and your phone app
> (via a QR code) and then validation codes match up based on the current time.
> Many python libraries support this, but seems like the best
> option.
>  We'd want a plugin option for where to store the secret key: default to mongo,
> so it "just works" for anyone running Allura, but other plugins to store on home
> directories for example, so it works with other things (e.g that's where the PAM
> module for TOTP stores keys).
> A newer and stronger protocol is U2F which is hardware keys like those provided
> by Yubikey.  Only Chrome works with this so far (and a Firefox plugin).  Google
> and GitHub support this, not many others yet. shows
> who supports what.  U2F can be run as a standalone server (U2FVAL) but should
> also be possible to embed into a python service with this lib
>  This would be nice to support,
> but maybe as a second phase though.
> Phone validation is an option too, and we have a PhoneService plugin.  However,
> that is susceptible to hacks, like someone changing your phone number to a
> different device, and then getting your verification codes.  Could be an option
> though.  And a text message could be a handy way to send people a link to
> install Google Authenticator or similar apps on their phone.
> Backup recovery codes are completely separate from TOTP or U2F.  They are just
> extra one-time use codes.  They should be stored securely with a hash and
> removed after use.
> At a project level (or neighborhood or system) it may be useful to show who
> doesn't have 2FA enabled (e.g. GitHub does this).  There could also be an option
> to require it.
> Thoughts?  Suggestions?

Dave Brondsema : : personal : programming

View raw message