Account: Add Support for 2-Factor Authentication

[swingstate]

I am thinking to host my pp instance behind a reverse proxy to allow colleagues etc. to access albums.

However, I think the lack of two-factor authentication is a "minus" for publically hosted / accessible instances. Hence my ask to add this as a near-term feature, at least for 2FA apps such as google authenticator / Authy (Google agnostic) / FreeOTP / Microsoft Authenticator to name a few.

Long term support for Authelia should be added to the backlog.

Security should go first and it would be a big plus for pp to have this on the feature list. :)

Screenshots

Settings > Account

Login with 2FA

[benmccann]

Another idea might be to support login via OAuth / OpenID providers such as Google, Apple, Microsoft, etc. This would probably be a prerequisite for connecting to the APIs of any of those providers. And it may also be helpful in the case where multi-user support is added as it may be easier to have friends or family login using their existing accounts rather than creating another one (login via local password creates its own challenges such as password reset). Those providers all offer 2FA, so depending on your needs that may accomplish support for 2FA in the process.

[krisnova]

After working on a Go client and building out an auth mechanism - as a security engineer I am willing to put in some free cycles to help out with an OAuth / 2FA implementation in the backend Go code. No idea when I will have time, but I am happy to help/fund if needed :)

[swingstate]

$128 donated, hope it helps to bring this feature to life.

[lastzero]

Thank you for your kind donation! 💐

As already answered in the chat, additional multi-user features have not been released yet. This is partly because a few unexpected issues like security vulnerabilities in Go and Log4j surfaced before Christmas and we have a zero bug policy.

They will be released when we deem them safe and bug-free. Besides providing support and fixing bugs discovered in the stable release, this is currently our highest priority.

When OpenID Connect integration has been released, two-factor authentication can be "enabled" by using a provider that supports it, for example Keycloak or Google.

We may later add a full, standalone user management to PhotoPrism, but don't see enough value in it at this time given the many other feature requests and ready-to-use user management solutions.

[bestrocker221]

In my opinion a key plus point of photoprism was the complete detachment from Google/Apple/whatever, so that you can completely be self reliant with no other providers. For many, privacy comes first.
In that way, a 2FA for locally managed accounts would be awesome!

[avm99963]

@bestrocker221 You could also use Keycloak (as mentioned by @lastzero) which is open-source and self-managed.

[NemesisRE]

or authentik

[Kvaksrud]

In a world of constant security challenges MFA is a must! Get a date set :)

[swingstate]

@lastzero what's the likelihood that this feature will make it into one of the (upcomming) 2023 releases?

[lastzero]

I think so and agree that this is an important feature. Funding is the top priority right now so I don't have to implement this (and all other feature requests) all by myself.

[tupyy]

Hello,
Is someone working on this? If not, I would like to work on this.

[lastzero]

We are going to work on this after a short break as we have just released a huge update.

[swingstate]

Can you share an update on the progress of this feature? I donated $128 and supported with a monthly payment for a year or two. Thought this would have a bigger impact :)
My License is back to "Essentials", not a big deal, just a FYI.

[lastzero]

@swingstate Feel free to email us if you have any questions regarding your membership. As publicly announced, we are currently on vacation and have committed to merging the open pull requests before we proceed with implementing more features. Since many users need 2FA and security is a priority for us, it shouldn't take too long once we have some time to focus on it.

[DmitryNefedov]

$128 donated, hope it helps to bring this feature to life.

Seems like a donation is NOT the way to bring the features to life. Pity.

[leosamuele221]

up

[lastzero]

As a first step, we would like to add 2FA via TOTP, for example based on the https://github.com/pquerna/otp library. We still need to do some research to determine what changes are needed to the existing user management backend and frontend, and to figure out which workflows will work best for us, e.g:

• https://github.com/pquerna/otp#user-enrollment
• https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication

[DmitrySandalov]

I appreciate the ongoing effort on 2FA.

While TOTP for 2FA is a great step, I'd like to suggest considering FIDO2 WebAuthn 2FA as well, in addition to TOTP (e.g. Yubikey). It aligns with modern security standards and offers a user-friendly alternative.

[lastzero]

@DmitrySandalov We're also looking into WebAuthn for password-less authentication. From my understanding, you would still want to use 2FA to register passkeys, so we need TOTP first either way?

[lastzero]

The Apps and Devices dialog in our updated preview build now also lets you view and delete app passwords:

There are still some tests we need to add. We also wanted to increase the session lifetime when 2FA is enabled, so you don't need to re-login as often (since this takes longer with 2FA and accounts seem less likely to be abused). Should there be any other opinions, now would be a good time to let us know! 🗯️

[lastzero]

An updated preview build is now available on Docker Hub for final testing:

• https://docs.photoprism.app/getting-started/updates/#development-preview
• https://docs.photoprism.app/release-notes/#development-preview

Any help with that is much appreciated! 🎉

[swingstate]

Finally. :) Great to see this has made it into the product!