[#12284] - request for Two Factor Authentication upgrade
- Closed
- 8 Oct 2016
- Medium
- Build: master
- # 12284
add:
1) allow to use multiple 2FA tokens
2) allow to change challenge-respons servers for YubiKeys (added as result from
"crazy talks" - see this thread :)
zero-24
- | Labels |
Added:
?
|
||
| Category | ⇒ | Authentication Feature Request Plugins |
I have already proposed that to the PLT and it got rejected. Here are all the 2FA improvements I proposed and all of them got rejected:
- Support for multiple YubiKey tokens
- Support for multiple YubiKey tokens with a Google Authenticator (TOTP) fallback
- U2F support
I used to maintain those plugins myself with the hope they'd be included in the core. When it became obvious this will never happen I simply abandoned that code. You can still find it here: https://github.com/akeeba/yubikeyauth Please note that the code in that repository is licensed under GPL v3.
The thing is that Joomla now asks developers to submit such plugins as "core supported" extensions. I see no benefit for me in maintaining these specific plugins under these conditions so please don't even bother asking me to submit them as core supported plugins :)
@nikosdion thanks a lot :) :
this should be a core functionality
with main reason to support: AS USER NEED TO SET/HAVE A BACKUP KEY !!!
There is less elegant solution. In case you get locked out of your site there are ten emergency one time password codes which are generated after you enable two factor authentication. Print them out and stick that piece of paper in your wallet – or, better yet, your password manager. When you need to lock into your site but you don't have your YubiKey with you just use one of these codes and cross it out.
That said, I agree with you that this is a major pain in the rear. I use my multi-key plugin on my own site. I hoped I could get it into Joomla but... ¯_(ツ)_/¯
@nikosdion in case i get lock out i open sql server and do myself a clear way :) but i have many sites and i use multiple keys - some of them i use as spare one as an backup with all data in case i get lost first one - this applies to totps / encryption keys / singing keys /certificates / passwords etc
why is so difficult to make them to roll out two or more keys keys
1) it's required to make one more table with user-id, keys
2) make user-id relation to user table and that's all
3) then php should check if relation existing as second factor
4) then authorize via challenge -respons
#i will go little forward
you should allow to set up custom challenge respons servers !!!
as i got my own i could do all dirty work for myself not relying on yubico servers - and this is one more thing to consider - how secure is to allow third part to take place in this (security) chain??? (dns poisoning spoofing etc ) ?
98% of Joomla users have probably never heard of 2FA or yubico :-)
@PhilETaylor - but they will sooner or later - and Joomla will be prepared to handle this ( or not ;/ )
@PhilETaylor @nikosdion - if there is so many unhappy users/developers of JoomlaTeam politics and behavior why we will not make fork of it ?? as new Team ? there is planty resons to do this ... ( see example OpenOffice vs StarOffice LibreOffice etc http://www.zdnet.com/article/openoffice-is-dead-long-live-libreoffice/ ) -or we can join efforts and make plugins/modules/components and sell them :) later (with small price or use a donation model ??? why not ? now im working on project to create a webinary courses site with use of nginx / rtmp / obs / joomla - and i need to bind all this with acl / etc - why no make of it (whole solution) an source of income ? i got knowledge in java/linux / servers administration little php but i will to cooperate in case someone willing :) - the problem is day has only 24 hours and i got only 2 hands ;/
Go for it - nothing stops you - thats the beauty of open source - just
dont forget that you have to maintain the GPL v2 License
Go for it - nothing stops you
Time, time goes by ....
ps.
does joomla team use some sort of vote/rate/review for request and enhancements ? if not why ?
So you have no time to contribute - just to complain - and you want others to do things for you - sad
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-10-08 12:59:24 |
| Closed_By | ⇒ | brianteeman |
@brianteeman - that your point of view - you have right to have one :) but:
(this may sounds weird but i don't use English language the more I do not know all the idioms)
1) did you bother to check basics about my person ?
2) so how many times i did post here ?
3) more how many times i did complain ?
3) did you bother to read what i wrote ?
4) or did you only saw these sentences, that prick you in the eye?
@nikosdion ;-)