New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two-Factor Authentication for SMF using TOTP protocol #2547

Merged
merged 27 commits into from Dec 3, 2014

Conversation

Projects
None yet
2 participants
@Dragooon
Contributor

Dragooon commented Nov 30, 2014

This PR adds support for 2FA for SMF using TOTP protocol, allowing users to register a secondary layer of authentication via a device with app such as Google Authenticator, Authy, Duo Mobile etc.

This implementation is based on RFC 6238 Time-Based One Time Password protocol, The user can register a secondary 2FA device via their Account Settings profile area allowing them to add a layer of security upon logging in. This setup provides them a backup code as well, should they lose the device they can use this (it is recommended to store this backup code in a secure place and use only in emergency).

Internally the authentication is stored in a cookie generated with the data sha512(tfa_backup + password_salt), this is checked in loadUserSettings and the user is logged out if it fails and is forwarded to 2FA login screen.

To-do:

  • Allow Admins to enable, disable and force 2FA
  • Allow Admins to disable 2FA on other members
  • Add credits for \TOTP\Auth class to contributors/credits etc

@Dragooon Dragooon changed the title from [WIP] Two-Factor Authentication for SMF using TOTP protocol to Two-Factor Authentication for SMF using TOTP protocol Dec 2, 2014

@Dragooon Dragooon added this to the Beta 2 milestone Dec 2, 2014

Dragooon added some commits Nov 30, 2014

Add \TOTP\Auth class
Class taken from github.com/enygma/gauth, renamed to \TOTP\Auth since it's a pretty generic TOTP class. Will be used for implementing TFA in SMF

Signed-off-by: Shitiz Garg <mail@dragooon.net>
Add tfa_secret and tfa_backup columns to the member table
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Add Two-Factor Authentication profile area
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Label not lable
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Properly validate TFA members
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Add form for logging TFA members in
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Use tfa_backup instead of tfa_secret for cookie
Don't expose tfa_secret in any form to the client side, tfa_backup is bcrypt encrypted and much harder to crack as compared to the plain text tfa_secret

Signed-off-by: Shitiz Garg <mail@dragooon.net>
Fix login popups
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Empty the 2FA cookie on logout as well
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Wipe user's 2FA preferences when using a backup code
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Don't load additional layers when sending a AJAX request to login2
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Add 2FA mode settings to Cookie and Session settings page
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Implement 2FA settings
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Fix disabling of 2FA
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Some 2FA setup template improvements
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Add enygma/gauth to contributers.txt
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Add missing external credits to the credits page
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Account for user in 2FA profile area
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Enable 2FA by default
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Don't reset $_COOKIE[$cookiename] during TFA authentication
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Update cookie validation regex with increased length of SHA512
Signed-off-by: Shitiz Garg <mail@dragooon.net>
$user_settings['member_name'] instead of username
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Fix undefined index tfa_error
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Don't have space in QR code identifier
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Fix disable link
Signed-off-by: Shitiz Garg <mail@dragooon.net>
Ask for password when enabling 2FA
Additional security

Signed-off-by: Shitiz Garg <mail@dragooon.net>
Increase max height of overlay boxes to 30em
Signed-off-by: Shitiz Garg <mail@dragooon.net>

Oldiesmann added a commit that referenced this pull request Dec 3, 2014

Merge pull request #2547 from Dragooon/tfa
Two-Factor Authentication for SMF using TOTP protocol

@Oldiesmann Oldiesmann merged commit 84e5539 into SimpleMachines:release-2.1 Dec 3, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment