Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Support U2F authentication #547

Open
MatthiasLohr opened this Issue Apr 20, 2018 · 13 comments

Comments

Projects
None yet
3 participants
@MatthiasLohr
Copy link

MatthiasLohr commented Apr 20, 2018

Hello,

i wanted to propose to start a discussion about increased account security. U2F is one (of many) possible standards securing website logins with a second factor. Some big companies like Google, Facebook, etc. already support that. So my proposal is, to include that feature into Froxlor to provide to interested users the possibility to secure their account.

There could also be a new admin feature, which allows to force users to use second factor authentication.

Best regards
Matthias

@d00p d00p added this to the 0.10.0 milestone Apr 25, 2018

@d00p d00p self-assigned this Apr 25, 2018

@PHPGangsta

This comment has been minimized.

Copy link
Contributor

PHPGangsta commented Nov 14, 2018

Yes, that would be nice!
The new webauthn standard is finalized, and supports FIDO U2F, FIDO 2.0, and so on. Support of browsers: Firefox 60+, Chrome 67+, Opera 54+, Edge 18+, Chrome on Android 70.

Please allow each user to create multiple second factors, so a user can add his two U2F devices, one he has in his pocket, and the other one (backup) is in a safe place.

Would be nice if there could be multiple types of second factors, for example "Code via E-Mail", "Code via SMS", "Google Authenticator", and "FIDO U2F via webauthn". Wordpress has a nice plugin called "Two factor", which provides multiple methods for each user:
smstwlio
https://www.wpbeginner.com/plugins/how-to-add-two-factor-authentication-for-wordpress/
But this plugin only support U2F-Legacy, not webauthn. I just posted it as an example how it could look like in Froxlor.

@d00p

This comment has been minimized.

Copy link
Member

d00p commented Nov 15, 2018

Sounds nice @PHPGangsta - definetly worth a look

@MatthiasLohr

This comment has been minimized.

Copy link
Author

MatthiasLohr commented Nov 15, 2018

Maybe starting with everything is too much. Just do a simple start, with one kind of second factor, e.g. U2F hardware tokens. After the foundation of that is implemented, it's also easier for community members to contribute new methods.
But of course, if you want to do them all right now, feel free :D

@d00p

This comment has been minimized.

Copy link
Member

d00p commented Nov 15, 2018

let's first get done with api-based 0.10.0 version - then see what we can do here :)

@MatthiasLohr

This comment has been minimized.

Copy link
Author

MatthiasLohr commented Nov 20, 2018

When will 0.10.0 be released?

@d00p

This comment has been minimized.

Copy link
Member

d00p commented Nov 20, 2018

Like every other version before: when its done

@d00p d00p closed this in 69495b9 Nov 30, 2018

@MatthiasLohr

This comment has been minimized.

Copy link
Author

MatthiasLohr commented Nov 30, 2018

Actually, you implemented TOTP. That's not U2F. So I would suggest to reopen this ticket.

@d00p

This comment has been minimized.

Copy link
Member

d00p commented Nov 30, 2018

Well, it's two factor authentication...if you're not satisfied with presented solutions then please
feel free to provide a pull request

@MatthiasLohr

This comment has been minimized.

Copy link
Author

MatthiasLohr commented Nov 30, 2018

If I find the time I will to that.

But since the idea of this ticket was not "any 2FA" but "U2F" it should be reopened (if the feature is desired) - or leave it closed if not. But then is no need for a pull request if it's not desired.

@d00p

This comment has been minimized.

Copy link
Member

d00p commented Nov 30, 2018

I do not see a large target group for that, so I won't implement U2F, there's enough other features with a way larger target group

@MatthiasLohr

This comment has been minimized.

Copy link
Author

MatthiasLohr commented Nov 30, 2018

Right now I'm only asking to reopen the ticket. See it as motivation for others (e.g. me) for implementing that.

@d00p d00p removed their assignment Nov 30, 2018

@d00p d00p removed this from the 0.10.0 milestone Nov 30, 2018

@d00p d00p reopened this Nov 30, 2018

@PHPGangsta

This comment has been minimized.

Copy link
Contributor

PHPGangsta commented Nov 30, 2018

If I see it correctly, a customer or admin can only have 1 second factor, correct? It's normal to have at least 2 second factors, if one dies, or is stolen. That's why Google or Github for example asks you to activate SMS-2FA first, before you can activate any other 2FA method. You always should have 2, if one is lost. You need a backup method, otherwise the account is lost.

I suggest to make it flexible from the beginning that you can have multiple 2FA methods active. Then you don't have problems if you want to have that later on, because then you need to migrate existing data...

For this you need a separate database table, so 1 admin/customer can have multiple 2FA-methods active at the same time. For example two U2F physical devices (or 3?), and TOTP. Or you have 2 separate TOTP devices (1 smartphone and 1 tablet) with separate secrets. That must be possible, otherwise you will have problems in the future.

@d00p

This comment has been minimized.

Copy link
Member

d00p commented Nov 30, 2018

feel free to implement...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.