Loading...
 
Skip to main content

History: Multi-factor authentication

Source of version: 23 (current)

Copy to clipboard
"Multi-factor authentication (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is"). After presentation, each factor must be validated by the other party for authentication to occur." Source: http://en.wikipedia.org/wiki/Multi-factor_authentication

[http://timreview.ca/article/716|Multifactor Authentication: Its Time Has Come]

{youtube movie="http://www.youtube.com/watch?v=tWZgQvWy22A"}

Goal: add this to Tiki in the context of [http://wikisuite.org/] 

Better to do in ClearOS, so it becomes available to Tiki and all the other apps (Kolab, VPN, Piwik, Openfire, Kimchi, Syncthing, etc.)
http://tracker.clearfoundation.com/view.php?id=1412 -> https://github.com/WikiSuite/app-two-factor-auth

{HTML()}<script type="text/javascript" src="https://www.openhub.net/p/673511/widgets/project_factoids_stats.js"></script>{HTML}
Pro
* Implements TOTP
Con
* Written in C

{HTML()}<script type="text/javascript" src="https://www.openhub.net/p/333679/widgets/project_factoids_stats.js"></script>{HTML}
Pro
* Implements HOTP
Con
* Written in C++
* Is a PAM module
* Does not implement TOTP

{HTML()}<script type="text/javascript" src="https://www.openhub.net/p/695040/widgets/project_factoids_stats.js"></script>{HTML}
Pro
* 
Con
* Written in Ruby or Python (Can't tell for sure, since site is dead)
* Project on github dead (according to link on OpenHub

{HTML()}<script type="text/javascript" src="https://www.openhub.net/p/719860/widgets/project_factoids_stats.js"></script>{HTML}
Pro
* Implements TOTP
Con
* Written in Java

None of the above is a workable solution for Tiki due to programming language incompatibilities and most of them having totally different scopes.

!!Generic TOTP approach
This is not an issue of choosing a fancy library. This is an issue of choosing a properly working open protocol. The probably most widely used Two-Factor-Authentication is the [https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm|Time-based One-Time Passwords Algorithm]  (TOTP) based on [https://tools.ietf.org/html/rfc6238|RFC 6238], which is also implemented by almost all of the above projects. There is a widely used token implementation in form of the Google Authenticator app for smartphones. Despite the name it is a fully open source application. There is also a non-Google branded app --[https://f-droid.org/packages/net.bierbaumer.otp_authenticator/]--(discontinued), maintained fork of the previous app: [https://f-droid.org/en/packages/org.shadowice.flocke.andotp/].
What's needed to make this work is some PHP code in Tiki and luckily there are libraries for this:

* [https://github.com/Dolondro/google-authenticator]
* [https://github.com/PHPGangsta/GoogleAuthenticator]
* https://packagist.org/search/?tags=totp
* https://packagist.org/search/?tags=hotp

An additional advantage here is, that people can just continue using the same app on the phone as they did for all kinds of other high-profile sites before.

This is also how Joomla does it:
* [http://www.knowledgement.ie/general/two-factor-authentication-in-joomla-3-2]

!! Alternative approach
Another option is using GPG-keys as the second factor. On login the user is presented with a GPG-encrypted message he has to decrypt and paste the resulting code back into Tiki to finish the login. The basics for GPG-encryption seem to be available in Tiki already, so this avenue should be considered as an alternative option to the more standard TOTP/Authenticator.

!! Future Options
In the long term it will probably become interesting to implement [https://en.wikipedia.org/wiki/Universal_2nd_Factor|U2F (Universal 2nd Factor] which uses specialised USB or NFC devices and does some other things to strengthen the authentication process.

* https://packagist.org/packages/yubico/u2flib-server
* https://github.com/Samyoul/U2F-php-server (now in phpMyAdmin)
* https://packagist.org/?q=u2f&p=0

!! Related links
* https://twofactorauth.org/
* http://googleonlinesecurity.blogspot.ca/2014/10/strengthening-2-step-verification-with.html
* https://kolab.org/blog/seigo/2015/10/19/kolab-sso-and-second-factors
* https://github.com/paragonie/multi_factor
* https://github.com/WikiSuite/app-two-factor-auth-extension 
* https://github.com/WikiSuite/app-two-factor-auth
* https://f-droid.org/en/packages/org.fedorahosted.freeotp/

-=alias=-
* (alias(MFA))
* (alias(two-factor authentication))
* (alias(two-step verification))
* (alias(TFA))
* (alias(T-FA))
* (alias(2FA))
Show PHP error messages