add 2-factor authentication.

[volkb]

After a given period of time a user should be required to double authenticate their login using either SMS or email. A user should also have to do this if they are logging into the platform from a new IP address for the first time.

[bnidevs]

Do you want to use google cloud for this or something else

[volkb]

It doesn't have to be. Essentially we would just add a 'last logged in' and 'ip' field to the users section of the data model. Then on login, we would just do some math on that field to see if the user has been logged in recently (lets say 30 days) and/or they are on a new IP than ones the system recognizes, and if not, a code is sent to their email or phone for them to 2 factor authenticate with.

[wave100]

+1 on not adding a dependency on GCP, IMO. SMS is non-trivial to add because there are usually costs associated with that. Maybe 2FA via email and use our existing sendgrid config?

That said, Casey should have the final word on whatever y'all do end up going with.

On Sun, Jul 26, 2020 at 9:30 PM Ben Volk notifications@github.com wrote:

It doesn't have to be. Essentially we would just add a 'last logged in' and 'ip' field to the users section of the data model. Then on login, we would just do some math on that field to see if the user has been logged in recently (lets say 30 days) and/or they are on a new IP than ones the system recognizes, and if not, a code is sent to their email or phone for them to 2 factor authenticate with.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/RPIForge/website/issues/46#issuecomment-664112683, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB7GGS7CVCB37GLEUDA6AC3R5T7HXANCNFSM4KRRCDIA .

[HonakerM]

Going off of what Rish said I would use our current sendgrid implementation. There are more pressing things for this semester and I don't want to over complicate something that could be done simply for the time being. In the future we could look into sms.

[volkb]

so yes, I agree that email would be the easiest method for right now; however, SMS implementation is also just as easy, we would just need to capture what type of phone the user has (Verizon, AT&T, etc.). then just send what is effectively an email (we can probably even reuse the same email creation function) to the SMS gateway of the provider which is then translated into the msg. If you google SMS gateway list it should come right up.

A security issue that I commonly see with 2 factors using email is that everyone uses the same password for everything, which means if the app account is compromised, your email likely is as well. Phones provide an external method of 2 factor, and also provide a physical layer of protection as well.

On Mon, Jul 27, 2020 at 3:13 PM HonakerM notifications@github.com wrote:

Going off of what Rish said I would use our current sendgrid implementation. There are more pressing things for this semester and I don't want to over complicate something that could be done simply for the time being. In the future we could look into sms.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/RPIForge/website/issues/46#issuecomment-664586123, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHZJ64PHBXDIPUJHOPXQDALR5XGXLANCNFSM4KRRCDIA .

[HonakerM]

@volkb if we implemented SMS it would not be through an SMS gateway. There are to many issues with it and I have also had messages take days to send. We would use something like Azure Bot or AWS Pinpoint. Like I said in my previous posts this is not a priority. Getting our site mobile friendly is much more important at this moment.

[volkb]

that's fair, this is all good documentation though for when we get around to this story. Azure bot or Pinpoint though we would need to consider the ongoing cost of operation

On Mon, Jul 27, 2020 at 4:19 PM HonakerM notifications@github.com wrote:

@volkb https://github.com/volkb if we implemented SMS it would not be through an SMS gateway. There are to many issues with it and I have also had messages take days to send. We would use something like Azure Bot or AWS Pinpoint. Like I said in my previous posts this is not a priority. Getting our site mobile friendly is much more important at this moment.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/RPIForge/website/issues/46#issuecomment-664616700, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHZJ64ONFA6LBFTPEIMIVOTR5XOMTANCNFSM4KRRCDIA .