SEC-2390: Multi Factor Authentication

[spring-projects-issues]

Rob Winch (Migrated from SEC-2390) said:

Include support for HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.

https://fidoalliance.org/about

See https://code.google.com/p/google-authenticator/

A simple example of U2F https://github.com/rwinch/spring-boot-security-u2f

[spring-projects-issues]

Jeroen Cranendonk said:

I was looking for something like this, petty it's not here yet, building my own now :)

Has anyone given any thought already how this should be done?
My approach is having two steps, the first validates the password, pulls up the user details, and sends the OTP(SMS), the second step validates the OTP the user entered.
Each step uses a filter, the first is just UsernamePasswordAuthenticationFilter, with a custom UserDetailsService which pulls up the user, gives it a temporary role, and sends the OTP (After validating the password, to prevent OTP spam :) ). Both the OTP and the full authorities for the user are stored in the principal.
The second filter checks for the temporary role, and grabs the OTP the user entered, which is then checked by a custom AuthenticationProvider which validates the OTP, and if it matches sets the authentication of the user to those stored in the principal.

Right now I'm struggeling with setting up some proper events for all this, I rely on events for audit logging, but I'm getting two succesfull authentication events with my current setup ;)

(Oh, shouldn't there be a link to SEC-2824 from here too?)

[spring-projects-issues]

Jeroen Cranendonk said:

Some related resources I found and which I based my approach on, might help someone:
https://github.com/altfatterz/two-step-login (very basic approach, and uses a MVC controller for the second step instead of a filter).
https://github.com/kyleboon/two-step-authentication-example (Closer to what I do, but goes to the user 'database' twice I think, while I reuse the principal from the first step).

[spring-projects-issues]

Jeroen Cranendonk said:

Noticed a issue with the setup as I described above, sending the OTP from the UserDetailsService means sending it on a faulty password too, which isn't a great plan.

Instead I now made a wrapping provider, which I stick above the dao provider, makes for cleaner separation anyways :)

[thomasdarimont]

the guys from projectlombok recently gave a talk about MFA with TOTP - might be a good inspiration: https://github.com/rzwitserloot/totp-example

[rwinch]

Thanks @thomasdarimont!

[thomasdarimont]

actually I even started porting this to spring security ;-)

[rwinch]

@thomasdarimont Would love to see a pull request :-D or even a sample thrown together

[ynojima]

Hi, I'm implementing AuthenticationProvider for Web Authnetication specification (https://www.w3.org/TR/webauthn/), which is successor of FIDO 2.0, and became W3C Candidate Recommendation recently.
https://github.com/ynojima/spring-security-webauthn

I implement AuthenticationProvider for Spring Security study. It is still a proof of concept, but in future, I'd like to send pull request. I'll be happy if you look into it.
(for more details about Web Authentication, see this article: https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/)

Sample application which works with Firefox Beta and FIDO-U2F device like Yubikey is provided.
(Please see the reference for instruction)

I have a favor to ask for Spring Security core to have some foundation class for multi factor authentication. It is desired to have a way to indicate a user who passed first step of multi step (factor) authentication. The status is: "not yet authenticated, but the user is identified". Since FIDO-U2F device needs keyHandle stored in server associated with user id for its authentication step, user need to be identified in the first step.
(See Section 3. Application-specific keys in https://developers.yubico.com/U2F/Protocol_details/Overview.html)

PullRequest for it: #5196

I made a new AuthenticationToken named FirstOfMultiFactorAuthenticationToken for it, and have AuthenticationTrustResolverImpl#isAnonymous return true for the token.
( At first, I tried to have the token just inherit AnonymousAuthenticationToken, but I found AnonymousAuthenticationToken is handled by HttpSessionSecurityContextRepository in a special manner,
so I had to modify Spring Security core a bit.)

I hope you enjoy the PoC.