Implement TOTP 2fa for user accounts #1001
Labels
No Label
a11y
ActivityPub
admin
API
backend
bug
community
conflicting
contribution welcome
deployment
documentation
duplicate
enhancement
frontend
good first issue
help wanted
high priority
instance config
low priority
mobile
moderation
more infomation needed
needs feedback
pr pending
project setup
question
search
security
translation
translations update needed
UI/UX
upstream
No Milestone
No project
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Kbin/kbin-core#1001
Loading…
Reference in New Issue
There is no content yet.
Delete Branch "cooperaj/kbin-core:2fa-implementation"
Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?
Using standard Symfony recommended libraries.
When a user has enabled 2fa on their account via their newly altered "password & 2fa" settings page they will be prompted for that code when logging in. Accounts with 2fa enabled cannot be accessed without entering a correct 2fa code.
TODO
Users are able to add 2fa to their account, and remove it. Admin's are also able to remove 2fa from a users account using the normal user admin toolbar and can view accounts that have 2fa enabled in the user listing view.
WIP: Implement TOTP 2fa for user accountsto Implement TOTP 2fa for user accountsholy moly, this is another big thing.
Implement TOTP 2fa for user accountsto WIP: Implement TOTP 2fa for user accountsOnly thing missing I think is the backup codes implementation. To reduce "help me, i've lost my phone" email spam to admins it is probably worth having.
384e4d8f67
to9426fbe6c0
b5d77e0ea4
toda8c4196e9
daf2ad441c
toab0d34c964
ab0d34c964
toe437793323
e437793323
tobfe65c055c
Backup codes functionality added.
WIP: Implement TOTP 2fa for user accountsto Implement TOTP 2fa for user accountsI've double checked the API oauth flow using this branch on my dev machine, and it seems to work fine when retrieving a token for an account with 2FA enabled
0d081a8675
toae35d2a7a8
When reading RFC 6238:
https://datatracker.ietf.org/doc/html/rfc6238#section-5
Yeah, I'm pretty certain thats a recommendation that no one actually follows as it's incredibly hard to get right/correct. PHP's nature as a request based runtime means it's mostly immune to memory based leakage and since you wouldn't want to slow things down too much pulling the decryption keys on every request you'd want to cache those somehow, which means any implementation would just be an exercise in obfuscation.
If we were going to start encryption of credentials in the database we'd also want to take a look at the private keys. So mostly the recommendation for this sort of thing is going to be to have an encrypted filesystem to cover your "at rest" issues.
Edit. Have created #1123 to track this possible effort.
ae35d2a7a8
to525a123990
525a123990
to3c22611a66
Causing regression on translation files, since the translation strings were added to Webplate.