Two-Factor Authentication for SMF using TOTP protocol #2547
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Dragooon
changed the title
Class taken from github.com/enygma/gauth, renamed to \TOTP\Auth since it's a pretty generic TOTP class. Will be used for implementing TFA in SMF Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Don't expose tfa_secret in any form to the client side, tfa_backup is bcrypt encrypted and much harder to crack as compared to the plain text tfa_secret Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Additional security Signed-off-by: Shitiz Garg <mail@dragooon.net>
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Oldiesmann
added a commit
that referenced
this pull request
Dec 3, 2014
Two-Factor Authentication for SMF using TOTP protocol
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for 2FA for SMF using TOTP protocol, allowing users to register a secondary layer of authentication via a device with app such as Google Authenticator, Authy, Duo Mobile etc.
This implementation is based on RFC 6238 Time-Based One Time Password protocol, The user can register a secondary 2FA device via their Account Settings profile area allowing them to add a layer of security upon logging in. This setup provides them a backup code as well, should they lose the device they can use this (it is recommended to store this backup code in a secure place and use only in emergency).
Internally the authentication is stored in a cookie generated with the data sha512(tfa_backup + password_salt), this is checked in loadUserSettings and the user is logged out if it fails and is forwarded to 2FA login screen.
To-do: