New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two factor authentication login: new GoogleAuthenticator plugin on Marketplace! #2846

Closed
robocoder opened this Issue Jan 1, 2012 · 18 comments

Comments

Projects
None yet
6 participants
@robocoder
Contributor

robocoder commented Jan 1, 2012

Proposing Yubico integration initially since I already have a Yubikey.

Can look into other vendors later.

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Feb 17, 2012

Member

Can you please elaborate on this one? is it a proposal for core or a plugin?

Member

mattab commented Feb 17, 2012

Can you please elaborate on this one? is it a proposal for core or a plugin?

@robocoder

This comment has been minimized.

Show comment
Hide comment
@robocoder

robocoder Feb 17, 2012

Contributor

Changes to core are needed either way.

Contributor

robocoder commented Feb 17, 2012

Changes to core are needed either way.

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Dec 14, 2012

Member

It would be great to have, even using Google two factor authentication API.

Member

mattab commented Dec 14, 2012

It would be great to have, even using Google two factor authentication API.

@halfdan

This comment has been minimized.

Show comment
Hide comment
@halfdan

halfdan Sep 5, 2013

Member

I started an implementation for two-factor authentication:

  • It integrates into the standard login
    • After entering username + password the Login checks if 2FA is activated and requires a two-factor auth secret
  • A user can activate 2FA in UsersManager by scanning a QRCode and typing in the current number

Some refactoring has to happen to the Login plugin in order to make this work. Right now the Auth mechanism depends on AuthRequest with extends Zend_Auth_AuthRequest (a dependency we should get rid of). AuthRequest only provides states for SUCCESS and FAILURE, but I need a new state "TWO_FACTOR_REQUIRED" to mark the attempt as valid (username + password correct, two factor secret missing).

I would also like to propose a change in the authentication logic. The API.Request.authenticate event should be changed, so that we could offer alternative authentication methods that do NOT rely on token_auth. E.g. for two-factor auth, as an additional security feature we need at least token_auth + verfication_secret to authenticate the request. There might be other login solutions that would make the token_auth obsolete, so the API.Request.authenticate event should just pass the $_REQUEST array.

Current status is attached as screenshot.

Member

halfdan commented Sep 5, 2013

I started an implementation for two-factor authentication:

  • It integrates into the standard login
    • After entering username + password the Login checks if 2FA is activated and requires a two-factor auth secret
  • A user can activate 2FA in UsersManager by scanning a QRCode and typing in the current number

Some refactoring has to happen to the Login plugin in order to make this work. Right now the Auth mechanism depends on AuthRequest with extends Zend_Auth_AuthRequest (a dependency we should get rid of). AuthRequest only provides states for SUCCESS and FAILURE, but I need a new state "TWO_FACTOR_REQUIRED" to mark the attempt as valid (username + password correct, two factor secret missing).

I would also like to propose a change in the authentication logic. The API.Request.authenticate event should be changed, so that we could offer alternative authentication methods that do NOT rely on token_auth. E.g. for two-factor auth, as an additional security feature we need at least token_auth + verfication_secret to authenticate the request. There might be other login solutions that would make the token_auth obsolete, so the API.Request.authenticate event should just pass the $_REQUEST array.

Current status is attached as screenshot.

@halfdan

This comment has been minimized.

Show comment
Hide comment
@halfdan

halfdan Sep 5, 2013

Member

Attachment: Two Factor Authentication in Admin backend
two-factor-auth-piwik.png

Member

halfdan commented Sep 5, 2013

Attachment: Two Factor Authentication in Admin backend
two-factor-auth-piwik.png

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Sep 6, 2013

Member

It is a great feature for sure. You are welcome to refactor the Login plugin to make this possible. This feature has to be provided by a Plugin, not in core. It is better to keep such advanced yet awesome feature out of core. Investigate how this can be done with a refactor of Login class + adding new events to let plugin extend the ValidateUser/Login/Logout workflows.

I suggest you submit your code as a Pull Request so we can further discuss the design.

Member

mattab commented Sep 6, 2013

It is a great feature for sure. You are welcome to refactor the Login plugin to make this possible. This feature has to be provided by a Plugin, not in core. It is better to keep such advanced yet awesome feature out of core. Investigate how this can be done with a refactor of Login class + adding new events to let plugin extend the ValidateUser/Login/Logout workflows.

I suggest you submit your code as a Pull Request so we can further discuss the design.

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Sep 6, 2013

Member

as a small first step it's good if you can get rid of Zend_Auth_AuthRequest as in general we'd like to move away from Zend_* (we'll tacke Registry and Log* for sure)

Member

mattab commented Sep 6, 2013

as a small first step it's good if you can get rid of Zend_Auth_AuthRequest as in general we'd like to move away from Zend_* (we'll tacke Registry and Log* for sure)

@halfdan

This comment has been minimized.

Show comment
Hide comment
@halfdan

halfdan Sep 6, 2013

Member

I'll try to implement this in the Login plugin. There is no other solution IMO.

Since two-factor auth comes after the normal Login process (username + password), the only way to implement this in a new plugin is by copying Login plugin.. (which I will not do)

TOTP is a defacto standard (http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Public_Server_Implementations) across many services, so I really think this should be a core feature and provided by the Login plugin. The feature is not "advanced", it's just an improvement over the relatively low security Piwik currently provides (md5 + single salt).

Member

halfdan commented Sep 6, 2013

I'll try to implement this in the Login plugin. There is no other solution IMO.

Since two-factor auth comes after the normal Login process (username + password), the only way to implement this in a new plugin is by copying Login plugin.. (which I will not do)

TOTP is a defacto standard (http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Public_Server_Implementations) across many services, so I really think this should be a core feature and provided by the Login plugin. The feature is not "advanced", it's just an improvement over the relatively low security Piwik currently provides (md5 + single salt).

@robocoder robocoder added this to the 2.x - The Great Piwik 2.x Backlog milestone Jul 8, 2014

@mattab mattab removed the P: normal label Aug 3, 2014

@mattab mattab referenced this issue Nov 3, 2014

Open

Add support for app specific passwords #6559

0 of 2 tasks complete

@mattab mattab added the c: Security label Mar 8, 2015

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jul 10, 2015

This should be back in the roadmap!

ghost commented Jul 10, 2015

This should be back in the roadmap!

@MagicFab

This comment has been minimized.

Show comment
Hide comment
@MagicFab

MagicFab Jul 10, 2015

Other free open source implementations of this exist, this reminds me of this 2FA plugin for WordPress, very nicely implemented.

MagicFab commented Jul 10, 2015

Other free open source implementations of this exist, this reminds me of this 2FA plugin for WordPress, very nicely implemented.

@strobeltobias

This comment has been minimized.

Show comment
Hide comment
@strobeltobias

strobeltobias Jul 15, 2015

Two factor authentication for Piwik would be awesome! Especially the data of website visitors would be better protected against hackers.
Maybe a Yubikey integration would also be possible. I live great with this gadget!

strobeltobias commented Jul 15, 2015

Two factor authentication for Piwik would be awesome! Especially the data of website visitors would be better protected against hackers.
Maybe a Yubikey integration would also be possible. I live great with this gadget!

@robocoder

This comment has been minimized.

Show comment
Hide comment
@robocoder

robocoder Jul 15, 2015

Contributor

There are ways to approach this:

  1. 2fa is enabled for everyone, so the pin is input on the same form as the user+password
  2. 2fa is enabled per user, so requires an intermediate pin page
Contributor

robocoder commented Jul 15, 2015

There are ways to approach this:

  1. 2fa is enabled for everyone, so the pin is input on the same form as the user+password
  2. 2fa is enabled per user, so requires an intermediate pin page
@sgiehl

This comment has been minimized.

Show comment
Hide comment
@sgiehl

sgiehl Jul 24, 2015

Member

There is now a plugin for GoogleAuthenticator. See http://plugins.piwik.org/GoogleAuthenticator

Member

sgiehl commented Jul 24, 2015

There is now a plugin for GoogleAuthenticator. See http://plugins.piwik.org/GoogleAuthenticator

@robocoder

This comment has been minimized.

Show comment
Hide comment
@robocoder

robocoder Jul 24, 2015

Contributor

@sgiehl : how hard to allow API requests without the auth_code?

Contributor

robocoder commented Jul 24, 2015

@sgiehl : how hard to allow API requests without the auth_code?

@sgiehl

This comment has been minimized.

Show comment
Hide comment
@sgiehl

sgiehl Jul 24, 2015

Member

Guess we would need to add app specific passwords or something like that.
Otherwise a login would be possible using token_auth in the url only

Member

sgiehl commented Jul 24, 2015

Guess we would need to add app specific passwords or something like that.
Otherwise a login would be possible using token_auth in the url only

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Jul 25, 2015

Member

@sgiehl Well done, this looks epic. It is an excellent news for the Piwik community 🚀

Member

mattab commented Jul 25, 2015

@sgiehl Well done, this looks epic. It is an excellent news for the Piwik community 🚀

@MagicFab

This comment has been minimized.

Show comment
Hide comment
@MagicFab

MagicFab Aug 10, 2015

@sgiehl app-specific passwords: #6559

I believe we can now close this one?

MagicFab commented Aug 10, 2015

@sgiehl app-specific passwords: #6559

I believe we can now close this one?

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Aug 12, 2015

Member

I guess the issue can be closed and all further requests regarding two factor auth can go into the plugin github repository: https://github.com/sgiehl/piwik-plugin-GoogleAuthenticator

@sgiehl I'll let you the pleasure the close it 🎉

Member

mattab commented Aug 12, 2015

I guess the issue can be closed and all further requests regarding two factor auth can go into the plugin github repository: https://github.com/sgiehl/piwik-plugin-GoogleAuthenticator

@sgiehl I'll let you the pleasure the close it 🎉

@sgiehl sgiehl closed this Aug 12, 2015

@mattab mattab changed the title from Two factor authentication login to Two factor authentication login: new GoogleAuthenticator plugin on Marketplace! Oct 13, 2015

@mattab mattab added the answered label Oct 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment