View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
1387Composrcorepublic2013-09-08 11:202021-06-19 04:58
ReporterChris Graham Assigned ToGuest  
PrioritynormalSeverityfeature 
Status newResolutionopen 
Summary1387: 2-factor-authentication overhaul
Description2-factor-authentication is really taking off, because people now carry smartphones and because hacking is increasingly an issue as people digitise more of their web behaviour.

It would be nice to have this as an option within Composr. Github has just made a nice implementation, that would be a good benchmark.
Additional InformationFor most websites, this is overkill. 2-factor-auth is most appropriate for things like e-mail services, friend networks, or coding services, where a hacker could really wreak havoc. Most individual websites aren't a key to that person's life. However, there are still plenty of Composr sites that do hold important details/connections, and this would be nice as an option.

Composr does already have 2-factor-authentication actually, because you can select IP confirmation by e-mail, against individual groups. However this is more of an admin feature than a user feature, and hacking someone's email may also be more viable than getting access to someone's physical smartphone or their 2-factor service account. Probably we would remove the current 2FA implementation and make it a per-user thing to enable, possibly forced for some usergroups. The remembering of validated IP addresses may remain as 'remember this device', but adding user-agent to the combination.

More things to consider...

Enabling:

It needs to be Opt-in (so, a new account editing tab to configure this).
I don't think we should enforce it, but we can add a new symbol to tell if a member has 2FA on - so a theme can nag a user to enable it or lock out functionality at the theme layer.

Where is is present:

Login
Lost password (iff 2FA is not just set to work via email, in which case this would be redundant)
Change important settings in account (username, password, e-mail addres, phone number).

How 2FA happens:

SMS (costs site owner about 3p in UK or <1c in US); obviously only possible if site wants to pay for this
HOTP via a device app (e.g. Google Authenticator)
E-mail

It's important to have a Recovery Codes implementation, in case the second decide is lost. We don't want the admin to be constantly having to bail out users.

Cookies:

What if login cookies stolen? Use of cookies is essential to maintain a short or long term login, but works against our 2FA aims. For 2FA users salt login cookies against both IP and user-agent.

We may want a "Remember device" feature? This would remembers the IP and user-agent combination so 2FA not needed again.
TagsRoadmap: Over the horizon, Type: Security
Attach Tags
Time estimation (hours)32
Sponsorship open

Sponsor

Date Added Member Amount Sponsored

Relationships

Search Commits
related to 3581 Not AssignedGuest Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) [passkeys] 
related to 514 ClosedChris Graham Option to salt login cookies against IP address 

Activities

Chris Graham

2021-02-08 02:22

administrator   ~6943

https://web.dev/web-otp/

Chris Graham

2021-05-08 16:15

administrator   ~7089

Here are some articles & libraries...

https://hazardedit.com/implementing-totp-google-authenticator-php/
https://github.com/PHPGangsta/GoogleAuthenticator
https://github.com/Spomky-Labs/otphp

Adam Edington

2021-06-19 04:58

administrator   ~7102

Last edited: 2021-06-19 04:58

 https://github.com/RobThree/TwoFactorAuth (an updated fork of the PHPGangsta offering.

Add Note

View Status
Note
Upload Files
Maximum size: 32,768 KiB

Attach files by dragging & dropping, selecting or pasting them.
You are not logged in You are not logged in. This means you will not get any e-mail notifications. And if you reply, we will not know for sure you are the original poster of the issue.

Issue History

Date Modified Username Field Change
2019-03-04 18:28 Chris Graham Relationship added related to 3581
2021-01-27 17:55 Chris Graham Summary 2-factor-authentication => 2-factor-authentication overhaul
2021-01-27 17:55 Chris Graham Additional Information Updated
2021-01-27 18:03 Chris Graham Relationship added related to 2130
2021-01-27 18:03 Chris Graham Relationship added related to 514
2021-01-27 18:05 Chris Graham Relationship deleted related to 2130
2021-02-04 21:48 Chris Graham Additional Information Updated
2021-02-08 02:22 Chris Graham Note Added: 0006943
2021-03-14 23:46 Chris Graham Additional Information Updated
2021-03-15 17:35 Chris Graham Tag Attached: Roadmap: v12
2021-05-08 16:15 Chris Graham Note Added: 0007089
2021-06-19 04:58 Adam Edington Note Added: 0007102
2021-06-19 04:58 Adam Edington Note Edited: 0007102
2024-03-26 00:58 PDStig Tag Renamed Roadmap: v12 => Roadmap: Over the horizon