Skip to main content
Topic: 2FA for Elk? (Read 10459 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

2FA for Elk?

I've spend some time on resarch for a two factor authentication, the integration of Google Authenticator seems quite simple:
https://www.idontplaydarts.com/2011/07/google-totp-two-factor-authentication-for-php/

Not sure if we should integrate it in the elk core by default or make it a plugin / addon?
Thorsten "TE" Eurich
------------------------

Re: 2FA for Elk?

Reply #1

lol, just discovered github added 2fa too...
QuoteTwo-factor Authentication
Add some extra security to your GitHub account by enabling two-factor authentication!
they're probably using a different system but the idea is basically the same, second factor on a mobile device.
Thorsten "TE" Eurich
------------------------

Re: 2FA for Elk?

Reply #2

Well it looks nice, but how would it be used?  For logins, ACP panel access, or replace our token stuff with this?  Just trying to understand how and where it would be put to use.

Re: 2FA for Elk?

Reply #3

Quote from: Spuds – Well it looks nice, but how would it be used?  For logins, ACP panel access, or replace our token stuff with this?  Just trying to understand how and where it would be put to use.

In general it's designed for logins.

The idea behind is to have two different factors for authentication. One factor is something you know (password / pin ) & the second factor is something you own ( e.g. a smartcard with a certificate, a RSA token or a mobile device with a OTP token generator). You'd always need both factors in order to login. 

Even if I'd know your password I'd need your mobile phone with the token generator (google Authenticator) )in order to login with your account.

We could use it for admin panel protection or for the normal login.
Thorsten "TE" Eurich
------------------------

Re: 2FA for Elk?

Reply #4

Thanks for the explanation, that helps ....

I've seen that with some systems ... you have to "register" your phone/tab/laptop/etc as allowed to access,    If you are not on one of those devices (not sure this would do it) you have to enter a key that is sent to your primary contact point (text / email) ...

I'm not sure if its addon or core territory ... might be best to come up with an implementation that can be tested / etc and then decide from there how best to approach it (core/addon) based on whats involved and usage potential based on whats required.  Certainly seems like a a good way to protect the ACP.




Re: 2FA for Elk?

Reply #5

Quote from: Spuds – I'm not sure if its addon or core territory ... might be best to come up with an implementation that can be tested / etc and then decide from there how best to approach it (core/addon) based on whats involved and usage potential based on whats required.  Certainly seems like a a good way to protect the ACP.

Requirements:
- Smartphone with Android, iOS or Blackberry..
- A java based destkop version (https://github.com/mclamp/JAuth) and a Firefox Extension (gAuth for Firefox) is also available.
- The server and the smarthone's clock need to be in sync, and there are probably some issues with different timezones.

Hopefully I've some time next week.. I think I'll start with admin panel protection and see if I can get it working.
Thorsten "TE" Eurich
------------------------

Re: 2FA for Elk?

Reply #6

Not as a default requirement, and not as something that an admin can force to be a requirement for any login for any member. Frankly, if that sort of thing becomes a "feature", I'll immediately lose any interest in using the software.

Problems:

1/ It's an additional step to make the software harder to use, which is not a good thing in itself.
2/ Not everyone has, or wants to have, a smartphone. Yes, really.
3/ Java has known security problems when running in browsers, so a lot of people prefer to disable Java in the browser.
4/ Not everyone uses Firefox. They should, but some people are silly. :P
5/ There have been times when I've had to admin via some other box due to my usual one being out of action for whatever reason.

I'm sure I could think of more problems if I tried to.
Last Edit: September 07, 2013, 05:35:59 pm by Antechinus
Master of Expletives: Now with improved family f@&king friendliness! :D

Sources code: making easy front end changes difficult since 1873. :P

Re: 2FA for Elk?

Reply #7

Quote from: Antechinus – Not as a default requirement, and not as something that an admin can force to be a requirement for any login for any member. Frankly, if that sort of thing becomes a "feature", I'll immediately lose any interest in using the software.
OMG...
There is the option to disable "admin security", do you really think we all here around are so dumb to think to introduce a step that requires a third party site, a phone or a plugin or similar just to log in, and make it mandatory?
...well, thank you for the confidence.

Quote from: Antechinus – 1/ It's an additional step to make the software harder to use, which is not a good thing in itself.
There are people that like to have any kind of security layer they can have.

Quote from: Antechinus – 2/ Not everyone has, or wants to have, a smartphone. Yes, really.
Talking about me? :P

Quote from: Antechinus – 3/ Java has known security problems when running in browsers, so a lot of people prefer to disable Java in the browser.
mmm...is there anyone that actually disable the java plugin? Really?...
I have javascript disabled in most of the cases, but not for domains I "trust", but the java plugin...heck, now that I think about it, I'm not even sure I have it installed... lol

Quote from: Antechinus – 4/ Not everyone uses Firefox. They should, but some people are silly. :P
No, they shouldn't since it's bloatware! :P(At least last time I used it daily in...2009)

Quote from: Antechinus – 5/ There have been times when I've had to admin via some other box due to my usual one being out of action for whatever reason.
That doesn't look relevant since nothing is bound to your "box", rather to a "second factor" (i.e. the phone or something).

Well, I wouldn't use it anyway because google will not have my phone number, ever. Sorry. They already have half of my emails, half of my browsing history, at least the phone number is available only to amazon I think. :P
Bugs creator.
Features destroyer.
Template killer.

Re: 2FA for Elk?

Reply #8

 I don't believe the Elk guys were talking about 2FA as standard, but I certainly don't want to make it mandatory for the admin panel. I don't want to have to go to my phone or similar just to use a site when I'm already at my computer.

2. I have a phone, I don't have it on all the time, especially when I'm at home - where I am most of the time.

3. You'd be surprised how commonly it is disabled in the browser. OS X doesn't even ship with Java AT ALL now, you have to explicitly download it separately.

4. Yay, a plugin for the... third...? most popular browser. Wow.

5. The concept of 2FA is straightforward, it takes the 'something you know' (password) and combines it with 'something you have' (phone), in a way that is harder to imitate. Anyone who currently gets your password has the answer to the one factor author. But if you need two things to get in, it is much harder to bypass.

It's why IP binding to things can be useful for things like admin, since it's kind of the 'something you have' aspect but not nearly as good as a physical thing you have in a phone.

Re: 2FA for Elk?

Reply #9

Quote from: emanuele –
Quote from: Antechinus – Not as a default requirement, and not as something that an admin can force to be a requirement for any login for any member. Frankly, if that sort of thing becomes a "feature", I'll immediately lose any interest in using the software.
OMG...
There is the option to disable "admin security", do you really think we all here around are so dumb to think to introduce a step that requires a third party site, a phone or a plugin or similar just to log in, and make it mandatory?
I refer you to the earlier posts above yours.

Quote from: TE – Not sure if we should integrate it in the elk core by default...
Quote from: Spuds – Well it looks nice, but how would it be used?  For logins, ACP panel access, or replace our token stuff with this? Just trying to understand how and where it would be put to use.
Quote from: TE – In general it's designed for logins.
<snip>
We could use it for admin panel protection or for the normal login.
So, given the above, I think it is fair to raise concerns about its use for normal logins, either by default or as a setting that an overzealous admin could force on users.


Quote...well, thank you for the confidence.
You are most welcome.


Quote
Quote from: Antechinus – 3/ Java has known security problems when running in browsers, so a lot of people prefer to disable Java in the browser.
mmm...is there anyone that actually disable the java plugin? Really?...
I have javascript disabled in most of the cases, but not for domains I "trust", but the java plugin...heck, now that I think about it, I'm not even sure I have it installed... lol
I have it disabled for general browsing. Occasionally I will enable it for a specific purpose.


Quote
Quote from: Antechinus – 5/ There have been times when I've had to admin via some other box due to my usual one being out of action for whatever reason.
That doesn't look relevant since nothing is bound to your "box", rather to a "second factor" (i.e. the phone or something).
You mean like registering a device..............like a box or something? :P


QuoteWell, I wouldn't use it anyway because google will not have my phone number, ever. Sorry. They already have half of my emails, half of my browsing history, at least the phone number is available only to amazon I think. :P
Yup, more power to Google. Awesome. ::)
Master of Expletives: Now with improved family f@&king friendliness! :D

Sources code: making easy front end changes difficult since 1873. :P

Re: 2FA for Elk?

Reply #10

I just viewed it like another login option, like openID that a user could use/enable if they had the coolnes$ to have them fancy smart phones.   Thats why I  wanted to see a basic implementation of how it would / could be used.   After that, well then we can get out the rocks and pitchforks and storm the ElkArte castle .... Ring the bells Antimodo Ring the bells .. the developers are rioting :P

Re: 2FA for Elk?

Reply #11

K. :P
Master of Expletives: Now with improved family f@&king friendliness! :D

Sources code: making easy front end changes difficult since 1873. :P

Re: 2FA for Elk?

Reply #12

Sooo, 2FA is now implemented, right?
Bugs creator.
Features destroyer.
Template killer.

Re: 2FA for Elk?

Reply #13

yep, it is..  :D there's still some tweaking needed here and there but it works (tested myself with FreeOTP and Google Authenticator)
Thorsten "TE" Eurich
------------------------

Re: 2FA for Elk?

Reply #14

YAY!

 emanuele moves
Bugs creator.
Features destroyer.
Template killer.