?
avatar c3ph3us
c3ph3us
3 Oct 2016

add:

1) allow to use multiple 2FA tokens
2) allow to change challenge-respons servers for YubiKeys (added as result from
"crazy talks" - see this thread :)

avatar c3ph3us c3ph3us - open - 3 Oct 2016
avatar zero-24 zero-24 - change - 3 Oct 2016
Labels Added: ?
avatar brianteeman brianteeman - change - 3 Oct 2016
Category Authentication Feature Request Plugins
avatar PhilETaylor
PhilETaylor - comment - 4 Oct 2016
avatar nikosdion
nikosdion - comment - 4 Oct 2016

I have already proposed that to the PLT and it got rejected. Here are all the 2FA improvements I proposed and all of them got rejected:

  • Support for multiple YubiKey tokens
  • Support for multiple YubiKey tokens with a Google Authenticator (TOTP) fallback
  • U2F support

I used to maintain those plugins myself with the hope they'd be included in the core. When it became obvious this will never happen I simply abandoned that code. You can still find it here: https://github.com/akeeba/yubikeyauth Please note that the code in that repository is licensed under GPL v3.

The thing is that Joomla now asks developers to submit such plugins as "core supported" extensions. I see no benefit for me in maintaining these specific plugins under these conditions so please don't even bother asking me to submit them as core supported plugins :)

avatar c3ph3us
c3ph3us - comment - 5 Oct 2016

@nikosdion thanks a lot :) :

this should be a core functionality
with main reason to support: AS USER NEED TO SET/HAVE A BACKUP KEY !!!

avatar nikosdion
nikosdion - comment - 6 Oct 2016

There is less elegant solution. In case you get locked out of your site there are ten emergency one time password codes which are generated after you enable two factor authentication. Print them out and stick that piece of paper in your wallet – or, better yet, your password manager. When you need to lock into your site but you don't have your YubiKey with you just use one of these codes and cross it out.

That said, I agree with you that this is a major pain in the rear. I use my multi-key plugin on my own site. I hoped I could get it into Joomla but... ¯_(ツ)_/¯

avatar c3ph3us
c3ph3us - comment - 6 Oct 2016

@nikosdion in case i get lock out i open sql server and do myself a clear way :) but i have many sites and i use multiple keys - some of them i use as spare one as an backup with all data in case i get lost first one - this applies to totps / encryption keys / singing keys /certificates / passwords etc

why is so difficult to make them to roll out two or more keys keys
1) it's required to make one more table with user-id, keys

2) make user-id relation to user table and that's all
3) then php should check if relation existing as second factor
4) then authorize via challenge -respons

#i will go little forward

you should allow to set up custom challenge respons servers !!!
as i got my own i could do all dirty work for myself not relying on yubico servers - and this is one more thing to consider - how secure is to allow third part to take place in this (security) chain??? (dns poisoning spoofing etc ) ?

avatar PhilETaylor
PhilETaylor - comment - 6 Oct 2016

98% of Joomla users have probably never heard of 2FA or yubico :-)

avatar c3ph3us c3ph3us - change - 6 Oct 2016
The description was changed
avatar c3ph3us c3ph3us - edited - 6 Oct 2016
avatar c3ph3us c3ph3us - change - 6 Oct 2016
The description was changed
avatar c3ph3us c3ph3us - edited - 6 Oct 2016
avatar c3ph3us c3ph3us - change - 6 Oct 2016
The description was changed
avatar c3ph3us c3ph3us - edited - 6 Oct 2016
avatar c3ph3us
c3ph3us - comment - 6 Oct 2016

@PhilETaylor - but they will sooner or later - and Joomla will be prepared to handle this ( or not ;/ )

avatar PhilETaylor
PhilETaylor - comment - 6 Oct 2016

@c3ph3us I doubt it.

I have already proposed that to the PLT and it got rejected

avatar c3ph3us
c3ph3us - comment - 6 Oct 2016

@PhilETaylor @nikosdion - if there is so many unhappy users/developers of JoomlaTeam politics and behavior why we will not make fork of it ?? as new Team ? there is planty resons to do this ... ( see example OpenOffice vs StarOffice LibreOffice etc http://www.zdnet.com/article/openoffice-is-dead-long-live-libreoffice/ ) -or we can join efforts and make plugins/modules/components and sell them :) later (with small price or use a donation model ??? why not ? now im working on project to create a webinary courses site with use of nginx / rtmp / obs / joomla - and i need to bind all this with acl / etc - why no make of it (whole solution) an source of income ? i got knowledge in java/linux / servers administration little php but i will to cooperate in case someone willing :) - the problem is day has only 24 hours and i got only 2 hands ;/

avatar brianteeman
brianteeman - comment - 6 Oct 2016

Go for it - nothing stops you - thats the beauty of open source - just
dont forget that you have to maintain the GPL v2 License

avatar c3ph3us
c3ph3us - comment - 8 Oct 2016

@brianteeman

Go for it - nothing stops you

Time, time goes by ....

ps.

does joomla team use some sort of vote/rate/review for request and enhancements ? if not why ?

avatar brianteeman
brianteeman - comment - 8 Oct 2016

So you have no time to contribute - just to complain - and you want others to do things for you - sad

avatar brianteeman brianteeman - change - 8 Oct 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-10-08 12:59:24
Closed_By brianteeman
avatar brianteeman brianteeman - close - 8 Oct 2016
avatar c3ph3us
c3ph3us - comment - 8 Oct 2016

@brianteeman - that your point of view - you have right to have one :) but:

(this may sounds weird but i don't use English language the more I do not know all the idioms)

1) did you bother to check basics about my person ?
2) so how many times i did post here ?
3) more how many times i did complain ?
3) did you bother to read what i wrote ?
4) or did you only saw these sentences, that prick you in the eye?

"don't judge a book by its cover"

- George Eliot's The Mill on the Floss (1860)

Add a Comment

Login with GitHub to post a comment