RFC6238/TOTP for 2FA Login

[git-putz]

Feature Request

An implementation of Request for Comments: 6238 for simple multifactor login security.

Use case

When enabled and setup for the user, they must enter in TOTP code after logging in with username and password.

Suggested implementation

When user logs in, have an area in Dolibarr where they can enable and setup their MFA. Have the ability to enable MFA and go through prompts to scan QR code using common 'authenticator' app and verify the TOTP code. Have an admin option to enforce MFA for users so they must set it up when they login next or they cannot access Dolibarr.

Suggested steps

Im not a application developer but here is the RFC for TOTP https://www.rfc-editor.org/rfc/rfc6238

Maybe look for an existing opensource php implementation of this that could be forked or merged into Dolibarr to save time?

[hregis]

@git-putz you can watch the sun where it shines ;-)

https://www.dolistore.com/en/modules/816-Two-Factor-Authentication.html

TOTP + USB key

[git-putz]

@hregis While I can understand the use case for a module store, where others can develop and publish addons to extend the capability of this project in ways that it may otherwise not be intended, I would like to think as the project progresses that some things like 2FA, would be better suited as a native option.

Maybe its just me but Im not a fan on installing 3rd party modules into an application to get the utility I need. Id rather see it directly supported by the application if at all possible, especially if its a core concept.

MFA is essentially a mandatory requirement for systems security now, and pretty much any modern site has the ability to use TOTP authenticator apps for login. So I think it makes sense to have this feature directly available in Dolibarr w/o needing an addon.

[hregis]

@git-putz Yes I understand your desire and I sympathize ... You should know that we do not live in love and fresh water and that all development deserves wages ... Dolibarr is an open-source project but that many developments have been developed and funded before being included in the core ... If a developer wants to include TOTP in Dolibarr for free I would not be against ... Opinion to the community!

[hregis]

@git-putz It is reminiscent of what we are living in France right now ... people don't want to work anymore but want to earn money !! We live in a world upside down! We want everything for nothing! Nothing is free at some point! We can't live with nothing!

[hregis]

@git-putz you see my point of view ?

[git-putz]

@hregis It has less to do with 'paying' and more to do with - this is a legitimate request for a core feature of the project.

I'm not sure if your comment is meant as offense or not. I understand you have developed an addon for this project. I respect that, but unfortunately that doesn't mean its purpose is guarantied in perpetuity. Certainly your module may go above and beyond the basics that could be implemented in the core, and that might be worthwhile for some to invest in.

Im simply requesting basic TOTP auth be a feature of the core project as its commonplace in pretty much every web-based platform now.

[hregis]

@git-putz far from being offensive to you, I was just giving my point of view of the situation. It is clear that security is an essential point, especially in this type of application... whatever the case, this type of authentication must remain an additional module and not be integrated because tomorrow who will be able to say that the TOTP will not be obsolete? Could this be replaced by something else? USB key ? Printer finger ? Laser Intergalactal ? Human DNA ? ;-)

[hregis]

@git-putz I think it is better for the core of Dolibarr to be able to accept all types of external double authentication methods than to impose a method at a given time and have to change it later because the method is no longer accepted and trusted!

[hregis]

@git-putz you see my point of view ?

[git-putz]

@git-putz I think it is better for the core of Dolibarr to be able to accept all types of external double authentication methods than to impose a method at a given time and have to change it later because the method is no longer accepted and trusted!

That would be great and I'm not against that. But TOTP seems to be very common and basic form of 2FA and I would assume be a good place to start. Unfortunately it's no longer accepted security practice to only secure apps like CRM/ERP with a password. MFA is becoming a mandatory requirement for most systems especially ones that store sensitive information. Hence why I created this feature request.

TOTP would be an easy option to check that box, but certainly if Dolibarr could authenticate against other third party identity systems using something like SAML and pull in the identity and MFA mechanism attached to that identity, that would be great too!

[hregis]

@git-putz I developed a TOTP module and USB key... for the moment I don't want to integrate it into Dolibarr because it took me time and I would like to have a financial return... if a developer wants to integrate an authentication TOTP to Dolibarr for free and if Eldy agrees I'm not against it. After yes... there are a whole bunch of third-party authentication like SAML, Google, etc.. which can also use TOTP or others without interaction with Dolibarr!

[hregis]

@git-putz I still remain convinced that we should not limit ourselves to a mode of double authentication because everything is going too fast and tomorrow we will surely have another standard that will change everything and... etc... ;-)

[github-actions[bot]]

This issue is stale because it has been open 1 year with no activity. If this is a bug, please comment to confirm it is still present on latest stable version. if this is a feature request, please comment to notify the request is still relevant and not yet covered by latest stable version. This issue may be closed automatically by stale bot in 10 days (you should still be able to re-open it if required).

[n-rodriguez]

Could this be replaced by something else? USB key ? Printer finger ? Laser Intergalactal ? Human DNA ? ;-)

Fine, but at least Dolibarr team could implement basic 2FA with Google Authenticator. If users want to use other authentication methods they still can use a paying plugin.

What do you think?

[n-rodriguez]

Ping @hregis