2FA and Recovery Email /contact options

[peterthethinker]

Is your feature request related to a problem? Please describe.

yes. As one of the Commercial users I am getting more and more worried of the lack of Account lockout recovery and 2FA options

Describe the solution you'd like

Ok so for recovery a place to add a 2nd Email as a backup and also backup codes would be ideal.

As for 2FA, I personally hate TOTP as it means you need a phone nearby and often times Phones are Not allowed in a secure bldg. many of NEOS's potential biz users may not allow them on premises .

YuBikeys and FIDO2 are last I looked a Open Src API and USB FIDO2 tokens are the gold standard

every info-sec study has pointed to them as the most user friendly option. Yes they cost money. The pro/biz users don't care of that $15 dongle cost to a pro grade program and the IP that account can contain!

---

Ideally I would like to see the options to use

• Email as a 2FA as a OTP. ( the avg user can check there phone for an email and a OTP code)
• also TOTP.( AKA TOTP APPS )
• FIDO2 on USB tokens.

as a side note every implementation of FIDO2 tokens have the option to register up to 5 Physical Tokens. So If one gets lost its not gonna axe your account access. You just De-auth that token and its now useless !

This covers 99% of users / use cases and gives enterprises the confidence to invest in Neos.

A Tie in to all of this is fast user switching and the option to store users as icons Like any normal OS does.

a use case I see that is useful

A neos Pro deployment is in a office . user A can click on there name . and use the FIDO USB key to log in . they do there thing and log out. User B can then click on there name and do the same.

---

thusly you have fast and enterprise grade Security and convenience .

case in point Mac OS W10 and Active Dir all support this behaviour and I've used this use case a Ton at my old job. It works very well. For a shared PC this is a key feature.

Here are the 2 Ways a FIDO token can be used and both have a place In Neos.

1. User enters Email > PW> and as a 2nd factor they tap on there key.
2. User clicks on there name and taps on there Key .

The latter is done where you Pre Auth a PC as a trusted system so there is still a PW challenge to get the account on to that system. so a stolen Token is not a direct threat .

Users can choose to only need the 2FA for new PCs or every few days trust this computer or need it every time.

Links

• Yubico
• Yubikey 5

this is a lot to take in and iam more then happy to boil down the details If you wish. sorry If the markup is odd. Git hub is not made for normies to use as a text program.

[3x1t-5tyl3]

Duplicate of #318 ?

[ProbablePrime]

Not exactly, OAuth is different from 2 Factor. I think there's a 2FA issue though.

[ProbablePrime]

Duplicate of: https://github.com/Neos-Metaverse/NeosPublic/issues/206 ?

Which is 2FA, however components of this are not.

[peterthethinker]

the entire premise is that is MORE then just TOTP ...goes in to much more detail .

and also at the same time addresses the fact we have no way to recover a account,

[peterthethinker]

to be clear

I am addressing this this as a Neos Commercial license Request for that program ( exe) and its users in a enterprise environment.
i posted it here so that the consumer users can chime in and hopefully it ends up in both versions.

[ProbablePrime]

That's ok, I commented that it has additional requests not covered in #206 However, #206 is where users appear to be talking about Just TOTP. So it might be cool to limit this discussion here to non-totp.

[peterthethinker]

not worth my time to argue tthis

[ProbablePrime]

Hey Peter, I'm sorry you feel that way. This isn't an argument though.

One important thing about issue management is to ensure that duplicates and related issues are found and linked across issues. I apologize for not being clear in my responses but mentioning #206 in the context of this issue is very important as some solutions were discussed there that could help.

It isn't an exact duplicate for sure, but it is highly related.

Your comment of other account recovery options is great. I'm trying to help focus the discussion here to the other comments here that are not TOTP. I even tidied up your formatting for you to make it clearer for other users.

If you'd like I can re-state this request in my own words that are true to your original request which should provide additional clarity.

[peterthethinker]

i am gonna use the proper channels for this ....... Its not a consumer issue .

[ProbablePrime]

By my understanding, this is the proper channels for feature requests that can be utilized by regular users too.

As a fellow Pro License Owner, I'd enjoy this feature for both the regular population and the Business Applications.

I have a sizeable sum of all currencies available in Neos and protecting that is very important.

[peterthethinker]

Here is why I dispise git hub. I dont feel its right that ppl can edit what is typed . I have said what I did in a way that I am comfy with with a desired result ... you editing my OG post means I cant be assured you know what I want and stuff is bound to be lost in the edit.

[H3BO3]

@peterthethinker You can review what changes were made if you click on the "edited" dropdown. All I see are spelling and grammatical corrections for easier readability, nothing that would change the meaning of what you typed.

[ProbablePrime]

I would never change the meaning. I apologize.

[peterthethinker]

any progress?????????????

[FlameSoulis]

Not sure if this issue is in relationship to the 2FA announcement, but just bumping for YubiKey/FIDO2 support, especially with logins. I already have a long password and having to type it every time I log into Neos would be a complete chore. It'd be nice if you could have it remember your password, but require the 2FA for proceeding if it's enabled. If the 2FA fails, then dump the remembered data.

If this should be its own issue, let me know and I'll get one written up.

[peterthethinker]

gotta agree 100% Modern 2FA is not a one item fits all . Esp in enterprise .

FIDO2 is a OPEN API . the effort is adding the API / not a license issue . so ? bad PR From a hack would wreck neos . so the motive is there to do it right the 1st time.

Here is My Use case and Why I use 2FA on HW FIDO2 tokens

I have 2 keys. One Off site and one local in my home. both are attache to the same many accounts. I Don't use them every day.
In fact for google Its only for new log ins on new HW OR after I clear my browser history.

so its a monthly affare In neos Speek It would be fair to drop the persistent log in after a week as it is now.

I dont use TOTP as its a PITA to use Vs a $15 key that is universal TOTP is phone based. what do I do when I crack my screen. water dammage

WHY put all my eggs in one casket! thats insane and such a risky move

not to mention Devs dont give users enough time to copy over the code on some apps.

I say screw that! 30 Sec is too fast !

NOT handicapped accessible for some people..,

FIDO keys are consistent from a user PoV . Every use is the same. and that's reassuring and thusly less stress and pro Consumer >

Yes TOTP apps are fee. good ..use them if you want as a consumer.

A single project is I get paid for is worth more then 2 keys. so Its a no brianer from a Biz PoV to use the tokens I already have.

I head some comments that persistent log ins are not secure. Not Wrong but totally Overkill ! So I guess the dozens of PHDs that run the infosec of google and Microsoft are wrong ? If the Avg biz allows them with FIDO tokens for new HW log ins on Google apps. then thats PLENTY for a VR game. the bar is . do as MS and Google does and you have done the due diligence of what is normal for this . in this day and age. less is a joke( SMS) and more may be to much burden on the user and they wont use 2FA at all in the 1st place. THIS is a big issue in infosec. the balance ..

Perhaps We need a Expert to chime in .

https://github.com/kevinmkane

Is a friend of mine and also . A PHD expert on things in this wheelhouse .. Might I suggest we consult him.

Know your attack surface ! Mine is NOT some one Breaking in to my home. and somehow taking my PC and loging in at there place .

Its some one with a new log in trying to get in remotely on a fresh PC

and none of this matters if you dont have a recovery system.

We need a 2nd Email option so that IF we do loose all 2FA items we can self reset via a 2nd Email account.

and thats what google. yahoo. twitter . Microsoft , and darn near every Pro/biz/enterprise company does.

Peter........

[Frooxius]

We have Yubikey on the roadmap as well, so we'd like to integrate it soon. https://github.com/Neos-Metaverse/NeosPublic/projects/5#card-61034830

Currently waiting on the hardware.

Are there other FIDO solutions that you're interested it or does Yubikey fill your need?

[FlameSoulis]

The only FIDO keys I have are Yubikeys at this time, so that works.

In this case, I'm mostly observing FiDO keys are a bit more VR friendly since having to reach over and tap something (even better if you can put it on your headset) over having to input OTP.

For OTPs, I'm assuming pasting is an option since, for both BitWarden and Authy's PC clients, you can copy them directly for pasting immediately. Unfortunately, the demonstration video only shows desktop mode, hence why I voice the concern.

[Frooxius]

I see thanks. Once I get my Yubikey, I'll look into integrating it. We integrated the TOTP 2FA first, since it's more accessible and doesn't require purchase of new hardware for majority of people, but we definitely want to add more options.

[peterthethinker]

this is AWSOME! !

now we are cooking with gas!

[peterthethinker]

so to be clear so there is no supprizes. what is the intended behavior for the FIDO2 tokens and what options are you implement.

[Frooxius]

I got my YubiKey! I've been looking at what we can implement, but looks like we're a bit early on a few things, as Yubikey has just recently released .NET SDK and are building documentation, some things are still missing there: https://docs.yubico.com/yesdk/users-manual/yubiref/transport-fido.html

What kind of options are you looking for? I think we could do both 2FA and Passwordless probably, I'm just waiting on some more documentation to pop up and learning what I can in the meanwhile.

[peterthethinker]

Yes to both .

The use case for Passwordless is for hot desking. "AKA in a Biz and you and I both share a PC in a studio .

PWless is FIDO2 key and a pin .

Some good reading https://www.microsoft.com/en-us/security/business/identity-access-management/passwordless-authentication

this is what MS has done For Windows login options with the keys and its consistent with enterprise in a a place like a game studio who wants to hot desk > User Interface Behavior parity Is the important part.
most users will have a MS and Google account. .

"Oh look Neos Behavior is just like my Gmail . I dont need help to understand this as the steps are the same !"

Its super quick to log in and its digitally secure.
Whom has the Key and the PIN gets in.
so it does a VERY good job at keeping online attacks at bay.

---

The 2nd mode . normal 2FA

While It would be airtight secure to use ask for the Key every time you start Neos . And also every time you do a admin action such as NCR Xfers and other changes .

This is gonna annoy people.

Or so the MS and google Security studies have said . I agree! . Its Over kill.

So perhaps a way to Choose How the Key is used . When you set it up . In My case I would ...

1: ask for it on any new PC 2: ask for it If its been 7 days( no matter what ) 3: ask for it When I clear the catch. ( obvislty )

Ideally it is Not asked every time I start up Neos .

But make that a option???

I bet the NRC highrollers would love to have the Option to secure there few grand with a Key .

me I dont do coins so meh?

---

In all of this I hope there is a way to have a way to recover 2FA. Not Just the backup codes.

google lets you have 5 FIDO2 Keys per account. AND a TOTP AND google auth app. any one of the 7 2nd factor items are valid to get in to the account to replace a missing or lost or stolen key or phone ect.

so you have to REALLY mess up to get locked out permittatlly

Neos should support 3 keys and a TOTP at the Min.( an app is out of the question)

This covers every base. I use a few keys my self . One here local . One in a Off site area ect. this way If my house goes up in flames I dont also cook My only access. I have the spare key . and codes .

NO stress Looming . " what If I get locked out "

What key did you get and I assume its FIDO2 ?

[Frooxius]

I see, thanks for the info! I'll definitely consider having multiple keys in the design.

Are you suggesting that it shouldn't require the key for every time you login or am I misunderstanding something?

My thought was that if you have the key and you just have to touch it, it would be convenient enough to login that way every time. However we can still have the "Remember Me" option as usual, that keeps you logged in until you log out or it expires.

[peterthethinker]

exactly

Allmost No Online service asked for it everytime.

[SnooperXP]

With the exception of financial services. I do like the requirement on the NCR transactions.

[peterthethinker]

I wold love to provide more feedback . I am NOT gonna post my infosec policies here oh a public facing website.

[FlameSoulis]

Bumping this as someone apparently had their account hijacked, and the topic of 2FA came up again, reminding me of this particular feature request. Considering the value of NCR has skyrocketed due to the recent bump (and hoping this post won't be dated as a result of the mentioning), exploring additional security options, such as the FIDO support, might be worth pursuing again.

Not to mention, the convenience of just being able to tap a hardware device is a lot easier than doing Mavis Teaches Laserpointers for VR users. The only issue I can foresee is that it is recommended to have multiple keys, so I can see the current security system might need to be tweaked due to the accomidation.