#1387 - 2-factor-authentication overhaul
-
By Chris Graham
- Added
- 2 views
| Identifier | #1387 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | 2-factor-authentication overhaul |
| Status | Open |
| Tags |
Roadmap: Over the horizon (custom) Type: Security (custom) |
| Handling member | Deleted |
| Addon | core |
| Description | 2-factor-authentication is really taking off, because people now carry smartphones and because hacking is increasingly an issue as people digitise more of their web behaviour.
It would be nice to have this as an option within Composr. Github has just made a nice implementation, that would be a good benchmark. |
| Steps to reproduce | |
| Additional information | For most websites, this is overkill. 2-factor-auth is most appropriate for things like e-mail services, friend networks, or coding services, where a hacker could really wreak havoc. Most individual websites aren't a key to that person's life. However, there are still plenty of Composr sites that do hold important details/connections, and this would be nice as an option.
Composr does already have 2-factor-authentication actually, because you can select IP confirmation by e-mail, against individual groups. However this is more of an admin feature than a user feature, and hacking someone's email may also be more viable than getting access to someone's physical smartphone or their 2-factor service account. Probably we would remove the current 2FA implementation and make it a per-user thing to enable, possibly forced for some usergroups. The remembering of validated IP addresses may remain as 'remember this device', but adding user-agent to the combination. More things to consider... Enabling: It needs to be Opt-in (so, a new account editing tab to configure this). I don't think we should enforce it, but we can add a new symbol to tell if a member has 2FA on - so a theme can nag a user to enable it or lock out functionality at the theme layer. Where is is present: Login Lost password (iff 2FA is not just set to work via email, in which case this would be redundant) Change important settings in account (username, password, e-mail addres, phone number). How 2FA happens: SMS (costs site owner about 3p in UK or <1c in US); obviously only possible if site wants to pay for this HOTP via a device app (e.g. Google Authenticator) It's important to have a Recovery Codes implementation, in case the second decide is lost. We don't want the admin to be constantly having to bail out users. Cookies: What if login cookies stolen? Use of cookies is essential to maintain a short or long term login, but works against our 2FA aims. For 2FA users salt login cookies against both IP and user-agent. We may want a "Remember device" feature? This would remembers the IP and user-agent combination so 2FA not needed again. |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
https://hazardedit.com/implementing-totp-google-authenticator-php/
https://github.com/PHPGangsta/GoogleAuthenticator
https://github.com/Spomky-Labs/otphp