Replace "Two Factor Authentication - Google Authenticator" with "oath-toolkit" code (more privacy and more security)

[danjde]

Hi Friends,
I've always wondered if there was any Google tracking code in "Two Factor Authentication - Google Authenticator" plugin.

So I'm I started looking at the libpam Google code from which it should draw and I've find this call stack:

if (encoderURL) {
    // Show a QR code.
    const char *encoder = "https://www.google.com/chart?chs=200x200&"
                          "chld=M|0&cht=qr&chl=";
    const char *encodedURL = urlEncode(url);

    *encoderURL = strcat(strcpy(malloc(strlen(encoder) +
                                       strlen(encodedURL) + 1),
                                encoder), encodedURL);
    free((void *)encodedURL);
  }

where Google admits to have access to tocken:

printf("Warning: pasting the following URL into your browser exposes the OTP secret to Google:\n %s\n", encoderURL);

So I've write for more information to the google-authenticator-libpam developers , and open an issue (immediately archived), if you want to deepen..

Coming back to Joomla!, what do you think about "Two Factor Authentication - Google Authenticator" and Joomla! users privacy?

Why do not use code more respectful of privacy (but also of security) for Joomla!? And try to keep Google as much as possible out of our lives?

Many thanks!

Davide

[brianteeman]

To the best of my knowledge joomla does not use that library and the terminology of "google authenticator" is used to describe the type of authenticatication and it clearly states that
"This feature allows you to use Google Authenticator, or a compatible application such as FreeOTP, for two factor authentication."

But please check the code I could be wrong

[ReLater]

Then we should call it "FreeOTP Authenticator" and add a hint that it can also be used with GA.
(I'm just joking but I never used this Authenticator plugin because of "Google" in the name. Hence it was clear for me that G participates (again) when I use it.).

Just BTW: In the German plugin description "FreeOTP" is not mentioned.

[danjde]

Should be interesting to know if "Two Factor Authentication - Google Authenticator" plugin uses or not google code.
A simple "grep" into plugins/twofactorauth/ does not return any google call, but this could be not sufficient for to be safe from Google!

What code was used from developers for 2FA on "Joomla!" 3.x?

And then the name (Google)! It can't really stand it! With all the tools/apps that allow you to create codes HOTP!!
Please change it ;-)

Davide

[brianteeman]

@danjde the joomla code is open feel free to check it yourself and confirm what I already wrote

[brianteeman]

this really should be closed as it is not an issue

[danjde]

It was exactly the sloth that led Hitler to the government of Nazi Germany.
Google is no less and this time the whole planet is at stake.
Good Luck!

Davide