[#18389] - Support U2F for 2 factor authorization
- Closed
- 18 Aug 2018
- Low
- Build: 3.8.1
- # 18389
Steps to reproduce the issue
This is a feature request: Currently the choice is to use google authenticator or yubico OTP.
Which is already not bad, but it could be even better. One cannot choose to use U2F and it is not possible to have a 2nd backup key (possible in U2F mode only) without creating e.g. multiple admin accounts. The OTP mode makes the website also dependant on yubico's cloud for the login.
Expected result
Support FIDO U2F as well, allow multiple keys for backup.
Actual result
Only google auth or yubico OTP supported. No backup keys.
System information (as much as possible)
No relevant
Additional comments
Kudos for implementing a meaningful 2FA at all. But the more general approach of U2F would be better.
Votes
joomla-cms-bot
- 
| Status | New | ⇒ | Information Required |
Since there is already a free extension, is it necessary to implement/include in the core?
can Release Lead @mbabker make a Decision?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18389.
This is indeed a policy decision.
I personally consider the login/auth part of core functionality and did not even expect it to be something done by 3rd party plugins, so did not know about the existence of Akeebas 3rd party plugin. Especially as joomla does offer 2FA itself as a core feature, just not the more modern U2F method.
Reading the description of Akeebas Login guard, it actually does not change the normal login process, but redirects to a 2nd login to affect the 2FA. Technically that is a bit unelegant and certain info may leak, as joomla considers the user logged in and Akeebas plugin just tries to intercept it until the 2FA is also solved.
| Status | Information Required | ⇒ | Discussion |
| Labels |
Added:
J3 Issue
|
||
U2F support is sorely needed directly in the Joomla core.
i tried Akeeba LoginGuard but even with U2F enabled LoginGuard uses mandatory backup codes as a bypass mechanism and it's not allowed to disable the codes. akeeba/loginguard#44
The option to never have emergency onetime use backup codes is never going to happen here either for exactly the same reason given here akeeba/loginguard#44
even with backup codes, it would be safer if the Joomla core was handling them than a 3rd party plugin that does a redirect for the 2FA login.
More people are looking at the core than at 3rd party plugins. I never even knew about LoginGuard before reading about it today in this thread and trying it - it definitely looks interesting but at the same time has me worried.
- its written by the same person that wrote the current core 2fa
Since Firefox 60 release FIDO U2F was superseded by WebAuthn/FIDO 2.0 (includes support for U2F tokens), which also will be implemented in Chrome 67, and in some sort in MS Edge and Safari. Previously U2F was supported officially by Chrome and, partially, in Firefox, disabled by default.
Joomla already supports Yubikey and WebAuthn probably will be much more widely used.
| Status | Discussion | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-08-18 12:27:05 |
| Closed_By | ⇒ | wilsonge |
I don't see us adding any additional core 2fa plugins at this time. Practically this only needs to be a plugin and not a full blown extension as Nic chose to do with Akeeba. The API exists. It just requires someone to write an extension for it. At a very quick glance for example this plugin which claims to have u2f support https://extensions.joomla.org/extension/openotp-authentication/
I'm going to close this PR right now. Of course if someone does propose it as code though I'd be happy to review it at that time.
Did you know that there is a free extension available that will do this?
https://www.akeebabackup.com/products/loginguard.html