Feature Request: 2FA for logins #925
Comments
|
More secure, yes. Less convenient and more work to implement. The usual security tradeoff! |
|
I certainly get that Tom - but is any 2FA on the roadmap for Jethro? |
|
Previous thread: #858 TOTP (Authy, Google Authenticator) is more secure than SMS, and probably easier to implement, but requires users to install an app. The new state of the art is WebAuthn / Passkeys, with GMail support announced by google and recently enabled for Google Workspace. The whole idea of logging in with a username and per-app password is becoming obsolete. Hence my 2c on #858, that it would be best to outsource auth completely, to an app like Keycloak that does 2FA, passkeys or whatever the latest hotness is. |
It's certainly under discussion, as Jeff notes above! @NeilAtw, in your context would Google Authenticator be preferable to SMS 2FA? Would syndicated auth from google etc be workable? |
|
Using Google authenticator and TOPT apps are bit more dev work than SMS 2FA because there needs to be a mechanism for setting up the shared key. Whereas SMS just uses the mobile number which is data Jethro already possesses. |
|
Thanks Tom (and others). I personally would be happy to see even SMS based 2FA. While I am aware of the potential to hijack SMS contents, in the context that Jethro is used in I think the risk is manageable, and the payoff should be seen as a significant positive.. :) |
|
Ok, I think I am ready to try implementing 2FA using SMS/email/list depending on what the user has available or chooses. SMS: The usual send OTP to the users mobile number I'll base the SMS and email functions based on the code in date_reminder.php Option to be enabled by the presence of constants in config.php. ie if the constants are not there nothing will change in the login process. |
|
Nice! Thanks for putting in the work. |
|
Fraid I haven't started this yet. I will ping Tom when I do get to it in case he is working on it. I am thinking 2FA may not be required for member logins. Just staff logins. That could be parameterised in configurations. |
|
Hi Tim, Tom.
Thanks for the update.
Just for consideration, our use case for Jethro (The office of the Director of Safe Ministry) means that we would like 2FA for member login if possible. We have around 120 churches (not individuals) keeping data in Jethro for their congregations, and the one or two authorised people in each church are the only church members who have a log in. They are the ones we would like to have 2FA for.
Cheers
…--
Neil Atwood JP
+61414 777 841
Interested in a Tesla? Use my referral code to benefit us both: https://ts.la/neil886217
Photography <https://atwood.id.au/>
From: Tim Pearce ***@***.***>
Sent: Thursday, September 7, 2023 1:08 PM
To: tbar0970/jethro-pmm ***@***.***>
Cc: NeilAtw ***@***.***>; Mention ***@***.***>
Subject: Re: [tbar0970/jethro-pmm] Feature Request: 2FA for logins (Issue #925)
Fraid I haven't started this yet. I will ping Tom when I do get to it in case he is working on it.
I am thinking 2FA may not be required for member logins. Just staff logins. That could be parameterised in configurations.
—
Reply to this email directly, view it on GitHub <#925 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACUOVFDYXB4R4K63J63TZSDXZE3B5ANCNFSM6AAAAAAZU37YOA> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/ACUOVFEOFHCGYQBCHHSIXOTXZE3B5A5CNFSM6AAAAAAZU37YOCWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTF4OET6.gif> Message ID: ***@***.*** ***@***.***> >
|
|
Neil, |
|
That would be great Tim, thanks. 😊
…--
Neil Atwood JP
+61414 777 841
Interested in a Tesla? Use my referral code to benefit us both: https://ts.la/neil886217
Photography <https://atwood.id.au/>
From: Tim Pearce ***@***.***>
Sent: Thursday, September 7, 2023 4:33 PM
To: tbar0970/jethro-pmm ***@***.***>
Cc: NeilAtw ***@***.***>; Mention ***@***.***>
Subject: Re: [tbar0970/jethro-pmm] Feature Request: 2FA for logins (Issue #925)
Neil,
That would be just fine in my proposal. The parameters would be something like 2FA_MEMBERS = true/false 2FA_STAFF = true/false - so entirely up to you.
I might also add a test to see if they are within the office if the site is hosted within the office and turn 2FA off in that case.
—
Reply to this email directly, view it on GitHub <#925 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACUOVFBIEWWJCHMUEMD2GALXZFTDPANCNFSM6AAAAAAZU37YOA> .
You are receiving this because you were mentioned. <https://github.com/notifications/beacon/ACUOVFESQM54EZVBEVYKMW3XZFTDPA5CNFSM6AAAAAAZU37YOCWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTF4W6SQ.gif> Message ID: ***@***.*** ***@***.***> >
|
|
I've started work on this. |
|
Thanks for that. I shouldn't promise to do things during school terms! |
…her 2FA is required, and how the SMS is sent.
…her 2FA is required, and how the SMS is sent.
…ile number is blank and that will block 2FA.
…ion around changing it. Add CSRF token when editing person details, and if 2FA is relevant, send a notification of the change to the old number.
…ing changed via the members interface. Some refactoring to suit.
I have read the previous thread about this, but wanted to suggest that 2FA using a tool like Google Authenticator seems like a better and more secure solution than SMS or even email.
Thoughts?
The text was updated successfully, but these errors were encountered: