Implement TOTP 2fa for user accounts #1001
Using standard Symfony recommended libraries.
When a user has enabled 2fa on their account via their newly altered "password & 2fa" settings page they will be prompted for that code when logging in. Accounts with 2fa enabled cannot be accessed without entering a correct 2fa code.
- Allow a user to remove 2fa from their account
- Allow an admin to remove 2fa from a users account
- Enable backup codes functionality
- Testing testing testing
Users are able to add 2fa to their account, and remove it. Admin's are also able to remove 2fa from a users account using the normal user admin toolbar and can view accounts that have 2fa enabled in the user listing view.
Only thing missing I think is the backup codes implementation. To reduce "help me, i've lost my phone" email spam to admins it is probably worth having.
I've double checked the API oauth flow using this branch on my dev machine, and it seems to work fine when retrieving a token for an account with 2FA enabled
When reading RFC 6238:
We also RECOMMEND storing the keys securely in the validation system,
and, more specifically, encrypting them using tamper-resistant
hardware encryption and exposing them only when required: for
example, the key is decrypted when needed to verify an OTP value, and
re-encrypted immediately to limit exposure in the RAM to a short
period of time.
Yeah, I'm pretty certain thats a recommendation that no one actually follows as it's incredibly hard to get right/correct. PHP's nature as a request based runtime means it's mostly immune to memory based leakage and since you wouldn't want to slow things down too much pulling the decryption keys on every request you'd want to cache those somehow, which means any implementation would just be an exercise in obfuscation.
If we were going to start encryption of credentials in the database we'd also want to take a look at the private keys. So mostly the recommendation for this sort of thing is going to be to have an encrypted filesystem to cover your "at rest" issues.
Edit. Have created #1123 to track this possible effort.
Causing regression on translation files, since the translation strings were added to Webplate.
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?