[Feature Request] 2FA Implementation

[cb3inco]

Describe the feature you'd like Implementation of 2FA time based tokens.

Describe the benefits this feature would bring to BookStack users The benefit would be that I would feel confident allowing BookStack face the public internet if 2FA could be turned on and enforced. This would allow the user direct access without having to turn on a VPN to get inside our network. I realize this might not be the use case for a lot of folks, but for those who are documenting sensitive systems this would be a huge win.

[vincentmakes]

This feature would be great

[Shagon94]

Would love to have this feature, duo has a free plan, I've used duo and its great. The only thing that could be a downside to users would be if this too is behind a paywall like the Oauth feature, security should not be placed behind a paywall.

[ssddanbrown]

The only thing that could be a downside to users would be if this too is behind a paywall like the Oauth feature, security should not be placed behind a paywall.

@Shagon94 Sorry, I may be getting confused since I'm not familiar with Duo, but is the mention of a paywall in reference to Duo or in reference to BookStack?

I'd prefer to stay away from anything vendor specific for this tbh, and go for something fairly open and common such as TOTP.

[Shagon94]

Apologies, I just found the documentation page for Oauth - https://www.bookstackapp.com/docs/admin/third-party-auth/

that being said MFA / 2FA would be great as well, TOTP would also be a great addition.

Regarding duo - duo is a 2FA provider, they have an app as well, it works like any other 2FA compatible app, the reason why I mentioned them was because they have a free plan so people might prefer having a push that they can just accept over entering the key from the OTP.

Even if we exclude duo from this 2FA is a great addition to the security, any implementation would be great.

[ssddanbrown]

Just putting this here as a reminder to myself to potentially dig into a webauthn implementation: https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/

[ssddanbrown]

Copy of my message from the closed (In favor of this issue) original issue:

Just to flesh this out a little further, What kind of controls would you want for 2FA? For example, would you want to force 2FA on all users? Let users decide? User-level control by admins? Something else?

Not looking for extra ideas, just want to know what you'd specifically want for your environment(s).

I'm assuming, for new users and for newly-admin-enabled-2fa users, we'd force a "Setup 2FA" step upon login?

We we need to implement a backup system? Or would an admin CLI command suffice to disable 2FA for system/specfiic-account suffice in scenarios where access is lost.

[Cave-Johnson]

As an admin I'd like the option to force enabling 2FA for all users, enable just for Administrators or leave it up to user preference (enabled but not enforced)

I'm assuming, for new users and for newly-admin-enabled-2fa users, we'd force a "Setup 2FA" step upon login?

This would be the method as far as I can tell.

We we need to implement a backup system? Or would an admin CLI command suffice to disable 2FA for system/specfiic-account suffice in scenarios where access is lost.

A backup system would be needed in some form. I think your idea of a CLI command would suffice for small instances. Where that would add more of an overhead is in large deployments. Thats where the option of backup codes (ie 10 codes you download and keep safe when 2FA is configured) would come in handy with the CLI as the ultimate fallback.

[dvdl16]

What kind of controls would you want for 2FA? For example, would you want to force 2FA on all users? Let users decide? User-level control by admins? Something else?

Even just enabling/enforcing it based on Role can also be sufficient

I'm assuming, for new users and for newly-admin-enabled-2fa users, we'd force a "Setup 2FA" step upon login?

Sounds good!

We we need to implement a backup system? Or would an admin CLI command suffice to disable 2FA for system/specfiic-account suffice in scenarios where access is lost.

The CLI command is a good idea

[triDcontrols]

+1 for this feature.

[ssddanbrown]

Hi @triDcontrols, To help gather guidance for implementation could you read and answer my post above?

[ark-]

A keen user for 18 month's opinion...

What kind of controls would you want for 2FA? For example, would you want to force 2FA on all users? Let users decide? User-level control by admins? Something else?

Feel like forcing on admin is fair as they have much more control. Below that. let users decide. The way nextcloud forces it on for everyone or no-one has caused me issues with people being blocked out in the past.

I'm assuming, for new users and for newly-admin-enabled-2fa users, we'd force a "Setup 2FA" step upon login?

This would have to exist to stop existing users being blocked out as mentioned above.

We we need to implement a backup system? Or would an admin CLI command suffice to disable 2FA for system/specfiic-account suffice in scenarios where access is lost.

Admin CLI is absolutely fine as long as it's well documented. Other projects have fallen down in the past as I've found the secret CLI command buried in a closed issue.

[kayvanaarssen]

Any news on this feature? It would make Bookstack more suitable for a lot of things and improve security. Also it will 100% pass Accountant Audits!

[ssddanbrown]

@kayvanaarssen No, No news. Please read and answer my post above to help us understand requirements for this.

[kayvanaarssen]

Like @ark- is also commented;

Some points that come to mind;

• 2FA for Admins
• 2FA for Users Optional (Option to enforce)
• Security even if its internal or behind a VPN if there is sensitive data in it
• Security if its public facing than Admins must really have 2FA
• GDPR / Accountant compliance to make sure documentation and other stuff that's in it is safe.

[kayvanaarssen]

Sorry for pushing this again. But any news on adding 2FA? This is one thing that's holding us back to use BookStack for our clients to login and look at their documentation. Since we want to have it secure.

[ssddanbrown]

@kayvanaarssen No news, I've hardly had time to devote to the project since your last prompt.

Realistically it's not going to be this year, maybe first half of next year but that's a big maybe. Authentication work is incredibly arduous and time consuming, and often does not benefit the wider existing BookStack user base hence I've pretty much met my limit of working on auth work this year.

If a massively important requirement you could always use one of the other authentication options, such as SAML, along with an identity provider that does support 2FA/MFA.

[kayvanaarssen]

I understand, but its really good for security ofcourse.

Hope it will make it to BookStack at some point 👍

[ark-]

@kayvanaarssen It might be worth looking into https://github.com/authelia/authelia while waiting for bookstack to implement their own.

[JustinByrne]

As the system is built on Laravel have you thought of using fortify for the authentication system, I understand that it would potentially be a lot of extra work replacing the existing authentication system but you will then be able to include MFA as an option for users.

[ssddanbrown]

@JustinByrne That would introduce a lot of work and only partially solve the technical part, which is not really the challenge. The challenge here is ensuring we have the correct flows and backup options for various existing BookStack use-cases, while thinking how it might need to work/integrate with the various auth options.

[Jarli01]

Just a bit of a heads up, I believe Snipe-IT uses the same laravel versions that Bookstack does and maybe taking some inspiration from that project would help get this feature moving along.

[ssddanbrown]

Thanks for the advise @Jarli01, but as mentioned above it's really fleshing out the expected flows/methods/cases/social-expectations that is the tricky part here, not necessarily the technical implementation. Snip-IT will really have a different intended user-base (within an instance) than many BookStack instances.

Answers to my questions above would really help more than anything else.

[Jarli01]

I would have the option to have mixed mode 2FA - IE Readers only may not be required to have 2FA since they are readers, Editors may be required to have 2FA.

I'd have 2FA disabled by default with an optional flag per user account

[MxD-js]

I would have the option to have mixed mode 2FA - IE Readers only may not be required to have 2FA since they are readers, Editors may be required to have 2FA.

I'd have 2FA disabled by default with an optional flag per user account

+1, This is the best method of getting 2FA, optional, it's good to have, but not enforced unless the admin specifically enforces this, and is created either during user sign up, or even if admin sets 2FA is required, then on next login user is presented with a 2FA set up.

[Shootify]

plz add two factor authentication, is a MUST for IT services providers, so that would be cool. thanks for the project.

[AlexKalopsia]

Any concrete plan to put this on the roadmap? Feels like a super important feature.

[cttechcorp]

+1 please.

[spencersmallwood]

+1

[ssddanbrown]

Just to update, An implementation is in progress in #2827

[cttechcorp]

Awesome news! Keep up the good work! Where's the donate button?

---

Chris Tripp President/CEO O: 252-360-4805 ext. 101 C: 252-296-6547

Visit our Website!

On 2021-07-21 4:19 pm, Dan Brown wrote:

Just to update, An implementation is in progress in #2827 [1]

-- You are receiving this because you commented. Reply to this email directly, view it on GitHub [2], or unsubscribe [3].

Links:

[1] https://github.com/BookStackApp/BookStack/pull/2827 [2] https://github.com/BookStackApp/BookStack/issues/1118#issuecomment-884472279 [3] https://github.com/notifications/unsubscribe-auth/AHFVKQVARMBESQCZHGYMMVTTY4TURANCNFSM4GDM5GRA

[ssddanbrown]

This has now been implemented as part of #2827, and has been merged into master, so will therefore be part of the next feature release.

For this initial implementation, TOTP in addition to backup codes are supported. MFA can be enforced via BookStack roles. A console command has been added to provide the ability to reset MFA for a certain user, from the command line. There's a self-service/setup flow on initial enforcement, otherwise MFA can be configured from the user edit view by any user.

Since this feature is now in the master branch, I'll close this off.

[Cave-Johnson]

Amazing work as always! Looking forward to testing this when it's released

[cb3inco]

Thank you @ssddanbrown!