UserFrosting icon indicating copy to clipboard operation
UserFrosting copied to clipboard
verified publisher icon userfrosting

2 factor authentication support

Open dransome opened this issue 8 years ago • 5 comments

As discussed with @alexweissman on chat, I would like to see 2FA in UF.

https://github.com/RobThree/TwoFactorAuth was noted as a possible starting point.

dransome avatar Oct 31 '17 16:10 dransome

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar May 06 '19 00:05 stale[bot]

@dransome @alexweissman

Hi

This feature request for 2FA is ~ 4 yrs old now.

Everything else about UserFrosting looks really modern and has been getting updates to latest PHP , tech, etc.

Did 2FA get implemented for UserFrosting and just not get added here? For login with Google Auth, Authy, Yubikey, etc?

Thanks!

ghost avatar Nov 12 '21 15:11 ghost

Not implemented, and from the history this was closed by stalebot during its brief stint.

There are a few areas to consider in adding 2FA support.

  1. How should the security be modeled? GitHub for example requires that the 2FA workflow have been used recently to access sensitive areas such as settings.
  2. What would account recovery look like? The current workflow allows a password reset so long as the user has access to their email.
  3. What happens if someone losses their 2FA? GitHub offers a solution in the form of a handful of single-use codes.
  4. How do we ensure that apps which use an API backed by UserFrosting aren't locked-out unintentionally by implementors enabling 2FA support without updating their apps?

Silic0nS0ldier avatar Nov 13 '21 07:11 Silic0nS0ldier

I really don't know all the nuts & bolts, just that I use 2FA 'everywhere' these days. Mostly with Google-type OTP tokens, a lot with Yubi keys, more and more with push auth like PingID or DuoSecurity, and still some with TXT message tokens.

When I started looking into this, it seems like rolling your own 2FA is just as common as doing your own User Management.

I use Authy to generate my 2FA tokens everywhere, so I 1st started looking around at how they do it.

I found this framework,

https://www.twilio.com/docs/authy

which has an API and good docs.

I also found this

https://github.com/scheb/2fa
https://symfony.com/bundles/SchebTwoFactorBundle/5.x/index.html

which looks like another framework mostly for Symfony, and so Laravel too?, that has thought through a bunch of it.

I really don't have the knowhow to code the whole thing custom from scratch. Especially for each & every web app.Which is why I came looking for and was excited to find UserFrosting!

And sounds like you already know about GH 2FA a bit

https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa

ghost avatar Nov 13 '21 11:11 ghost

A bit late to the party...

I once implemented authy 2FA (https://www.twilio.com/docs/authy) into UF3 a few years ago, I started a sprinkle at some point to try and get it in, but life happened.

To go with something like authy or authenticator would be a nicer option as it would cover losing 2FA as it is linked to and email address and a phone number. The application also has a bit of a footprint as being available for mobile and desktop I am having more and more free time and very willing to assist where I can.

TheMainJoe avatar Dec 22 '21 21:12 TheMainJoe