allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohan Verma <he...@rohanverma.net>
Subject Re: Multifactor authentication
Date Thu, 15 Sep 2016 18:10:25 GMT
On Thu, Sep 15, 2016 at 8:47 PM, Dave Brondsema <dave@brondsema.net> wrote:

> This is live on https://forge-allura.apache.org/ now if anyone wants to
> test it
> out for real :)  I will also work on a site news post sooner or later, to
> promote this new feature of Allura.
>
> Works fine for me and looks good as well. +1

Since, I am unable to work on code due to coursework at the moment I would
like to volunteer for writing the post on the site along with a small
tutorial this weekend if that is okay with you?


> On 8/12/16 4:17 PM, Dave Brondsema wrote:
> > I'd like to work on multifactor authentication soon.  I've done some
> thinking
> > about it already, and here's what I've got so far.
> >
> > I reviewed several other sites to see how they use 2FA and put some
> screenshots
> > together of how I think it would work best: http://imgur.com/a/SDKHE
> >
> > Standard two-factor authentication uses TOTP (time-based one-time
> password)
> > which is all based on a secret key shared between the server and your
> phone app
> > (via a QR code) and then validation codes match up based on the current
> time.
> > Many python libraries support this, but cryptography.io seems like the
> best
> > option.
> > https://cryptography.io/en/latest/hazmat/primitives/
> twofactor/#cryptography.hazmat.primitives.twofactor.totp.TOTP
> >  We'd want a plugin option for where to store the secret key: default to
> mongo,
> > so it "just works" for anyone running Allura, but other plugins to store
> on home
> > directories for example, so it works with other things (e.g that's where
> the PAM
> > module for TOTP stores keys).
> >
> > A newer and stronger protocol is U2F which is hardware keys like those
> provided
> > by Yubikey.  Only Chrome works with this so far (and a Firefox plugin).
> Google
> > and GitHub support this, not many others yet.
> https://twofactorauth.org/ shows
> > who supports what.  U2F can be run as a standalone server (U2FVAL) but
> should
> > also be possible to embed into a python service with this lib
> > https://github.com/Yubico/python-u2flib-server  This would be nice to
> support,
> > but maybe as a second phase though.
> >
> > Phone validation is an option too, and we have a PhoneService plugin.
> However,
> > that is susceptible to hacks, like someone changing your phone number to
> a
> > different device, and then getting your verification codes.  Could be an
> option
> > though.  And a text message could be a handy way to send people a link to
> > install Google Authenticator or similar apps on their phone.
> >
> > Backup recovery codes are completely separate from TOTP or U2F.  They
> are just
> > extra one-time use codes.  They should be stored securely with a hash and
> > removed after use. http://security.stackexchange.com/a/133010
> >
> > At a project level (or neighborhood or system) it may be useful to show
> who
> > doesn't have 2FA enabled (e.g. GitHub does this).  There could also be
> an option
> > to require it.
> >
> > Thoughts?  Suggestions?
> >
> >
> >
>
>
>
> --
> Dave Brondsema : dave@brondsema.net
> http://www.brondsema.net : personal
> http://www.splike.com : programming
>               <><
>



-- 
Sincerely
Rohan Verma
hello@rohanverma.net

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message