New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two-factor authentication #352

Open
ericchiang opened this Issue Mar 1, 2016 · 9 comments

Comments

Projects
None yet
8 participants
@ericchiang
Copy link
Collaborator

ericchiang commented Mar 1, 2016

We don't have an immediate need for this but it would be a very cool thing to add. Would ideally use API tokens to integrate with an existing one time password provider.

This feels like an addition to the local connector.

@ibotty

This comment has been minimized.

Copy link

ibotty commented Apr 19, 2016

I am interested in using u2f with dex. There are some notes on using u2f with OIDC from yubico: https://www.yubico.com/wp-content/uploads/2015/08/Yubico-U2F-and-OIDC-Final.pdf

If given guidance, I might be able to devote some time to it.

@bobbyrullo

This comment has been minimized.

Copy link
Contributor

bobbyrullo commented Apr 20, 2016

@ibotty : that would be wonderful.

I agree with @ericchiang that it sounds like a local connector addition. Consider the different deployment options: requiring 2-factor for all users, user's choice, or not enabled. Also consider how general does this need to be: if it works with yubikey will it work with other vendors?

The way to proceed is to post a proposal here and once we reach agreement you can move forward with an implementation. If you need more guidance don't hesitate to ask!

Also note: I am working on a proposal template, so once that is in please use that if you can.

@ibotty

This comment has been minimized.

Copy link

ibotty commented Apr 21, 2016

U2f is a vendor-neutral standard. It would also work with cheap 5$ dongles.

I will try to do a proposal draft next week.

@ibotty

This comment has been minimized.

Copy link

ibotty commented May 10, 2016

I did not get to it a few weeks ago. Sorry. I don't know, when I will have time. So nobody should be discouraged to work on it!

@wyattanderson

This comment has been minimized.

Copy link
Contributor

wyattanderson commented Aug 9, 2016

Would be awesome to see U2F support, but we'd also love to have TOTP. We use the LDAP connector, though, so if it could be configurable to work with connectors that don't already provide 2FA, that would be neat.

@remohammadi

This comment has been minimized.

Copy link
Contributor

remohammadi commented Sep 5, 2016

I'm also interested to work on this.

To implement it as a local connector addition, I think we need to rethink about the connector config format. Because in the current format, connectors are ORed with each other (authorizing through one of them is sufficient). I can think of these options:

  • To make it possible to define a pipeline of connectors in the config. (overkill?)
  • Another flag for dex-worker, -2fa-connectors for example, to set a list of connectors as the second authenticator.
  • Have a combined connector (local+TOTP for example)

Which option does make sense to be the base for the proposal?

@ericchiang

This comment has been minimized.

Copy link
Collaborator Author

ericchiang commented Jan 10, 2017

Going to copy and past a comment I added over in #763

Might be something that can be implemented out of scope of dex. E.g. user logs into app through dex, then when they try to do something sensitive the app itself triggers a second factor.

When to trigger a second factor is hard to express in a general way.

Basically, I don't know if dex itself should implement this. Second factor auth is usually triggered by special events, such as logging in from a new device, a new geographical location, or after some predetermined amount of time. Are these decisions general or something that an application developer using dex for auth would want to control themselves?

@mounk

This comment has been minimized.

Copy link

mounk commented Jul 12, 2018

In recent years, we’ve witnessed a massive increase in the number of websites losing personal data of their users. And as cybercrime gets more sophisticated, companies find their old security systems are no match for modern threats and attacks. Sometimes it’s simple human error that has left them exposed. And it’s not just user trust that can be damaged. All types of organizations—global companies, small businesses, start-ups, and even non-profits—can suffer severe financial and reputational loss.
I watch this vedeo to an article Bluestacks TextNow Photomath

@ericchiang ericchiang removed the help wanted label Sep 5, 2018

@rosskusler

This comment has been minimized.

Copy link

rosskusler commented Feb 18, 2019

Increasingly we're being asked to add 2FA to dashboards and control panels of sensitive applications. The requirement to use 2FA is typically required for every time the user logs in (or their token expires). It would be really convenient to have dex handle this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment