Add 2-Step Verification for account login

[wel97459]

Add 2-Step Verification for account login using the Google Authentication standard.
Would be an option the user can turn on under there account options, and would not be forced on the user, but suggested for better account security.

[Karel-Owen-Watts]

Will be very useful security layer, especially when handling licences, contracts and NCR. Google Auth is the gold standard of 2-Step - we don't have to look any further. There should be a last resort to remove it if the user really cant reach his backup codes -- trough neos support, but certainly only after email/phone confirmation and some heads-up alters sent to all of his registered contacts during a hefty waiting period.

[h1z1]

Please do not require third party services like Google / SMS for auth. It doesn't offer the security you think it does. "Gold Standard" maybe to Google.

[mralext20]

I believe what @JohannAmos means is using a TOTP based method, instead of rolling their own app or using email tokens.

read more about TOTP here: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm

[h1z1]

I don't think so, given they literally said Google. Requiring OTP for 2FA would be a royal PITA. If you look at existing deployments many of them resort to saving logins because of it too which defeats the point. Discord is a good example of what NOT to do. Not sure how that would even work in VR, tell people they need to pull their headset off because you need to grab the token? I'd hope not.

[ProbablePrime]

TOTP would be ok. It doesnt rely or depend on google and has many open source implementations.

[h1z1]

"Google Auth" is not restricted to OTP, they have their own set of requirements for account creation, access, etc.

[mralext20]

Just wanted to kindly poke this again, account security is important to me.

[Toxic-Cookie]

Yes especially after the MMC. As time goes on, the risk climbs.

[3x1t-5tyl3]

Bumping this. I'd really like to see two factor auth. It's a very important step to increase security.

[RaithSphere]

bump from me too, something i would like to see

[JackTheFoxOtter]

Fully agree, this should definitely be addressed before Neos's marketplace goes live.
There can be a lot of value in a Neos account, maybe it shouldn't even be optional anymore once a user opens a shop on the marketplace / collects a certain ammount of NCR in their account.

[chemicalcrux]

Agreed. It would be excellent to be able to use my Yubikey to secure my account; failing that, a plain old TOTP scheme would be fine, too.

[Frooxius]

I've got this mostly implemented now, but we ran into unexpected issue - enabling this for account login will require updating account.neos.com, but since that's managed by 3rd party developer, that will probably take a while to get updated. We have a few options now:

• Keep this for NCR transfers only now. This will not break anything exiting, but also won't protect the account login
• Allow to optionally enable/disable account login check (or perhaps disable it for a short time period once enabled). This will give you a short window to login to the website, e.g. to login to the Wiki and so on, but you will have to do so from Neos or the AdminX tool.

Any thoughts on those? Or potential alternatives?

Also here's demonstration of what's implemented in action. Obviously the codes shown in the video were scrapped and I'll generate myself some fresh ones:
https://www.youtube.com/watch?v=6AB2JMR-PIg
https://www.youtube.com/watch?v=Db10T1CXpHA

[Frooxius]

This has now been released in 2021.7.21.127!

Works for any NCR/KFC transactions and optionally for login. Right now login breaks account.neos.com, but can be enabled/disabled with a command, so that should provide good enough workaround.

I'm closing this issue now, any additional features and improvements can now be more focused issues.

Copying notes from the release with more info:

• Implemented Two Factor Authentication (2FA) using the TOTP - Time-Based One Time Password (based on combination of GitHub voting, Patreon priority voting, and general community feedback, originally requested by @0utsider | Programmer, @karel | CEO, @alex from Alaska, @ProbablePrime | Docs, @Toxic_Cookie | NTC CEO, @3x1t_5tyl3, @Raith (CytraX) | Programmer, @jack, @chemicalcrux and others)
  -- You can enable 2FA on your dash from the tools facet, which has new "Setup 2FA" option
  -- To setup you'll need a TOTP authenticator app, like Authy or Google authenticator
  -- Once enabled, every credit transaction (NCR, KFC) will require a 2FA code to complete
  -- Optionally you can enable 2FA requirement for login by sending /enableLogin2FA command to the Neos account
  --- IMPORTANT: Currently this breaks login at the account.neos.com website, as it's not been updated with 2FA support yet
  --- Using "Remember Me" will not require 2FA code every time you start Neos. If you want even more increased security, do not check this option and manually login every time. However this shouldn't pose a significant risk, as the "remember me" token is invalidated every time you login
  -- You can disable 2FA requirement for login by sending /disableLogin2FA command
  -- Take care to protect your secret code and recovery codes. If you lose them, you'll PERMANENTLY lose access to your account
  -- AdminX and Headless support 2FA login as well
  --- Note that with Headless you cannot use auto-login in the configuration file with 2FA, only the dynamic "login" command will work

[RobertBaruch]

Has account.neos.com been updated for 2FA? If not, is there a github issue to link here? If not, can a github issue be created?

[Frooxius]

Please refer to my two comments above. You can also use /webLogin command in Neos to temporarily disable the 2FA login.

Long term we'll likely replace account.neos.com with auth.neos.com but it needs more work.

[RobertBaruch]

Thanks, I added this to the wiki!