[BUG]: 2-Factor-Authentification not working

[cheater78]

What is the bug? Since braindead ZIH impl 2-Factor, TUfast cant login anymore

What system are you running? crossplat

Anything else that is important? Please add a feature to save ur Token, and automatically query the needed characters, enter them and login Thanks <3

[OliEfr]

Hi @cheater78.

Thanks for bringing that up.

Seems like the Auto-Login feature is in danger, if 2FA gets implemented for other platforms.

I btw don't have any ZIH-Login anymore, so I can't participate in developing or testing any login related stuff.

@C0ntroller

[C0ntroller]

First of all I don't think making it mandatory to secure the most important login of your university login is "brain-dead".

That said development currently is pretty stalled (and I currently also don't have any spare time for this project), so I don't think it will be implemented in the near future.

I also have some other issues with this:

• The "average user" doesn't even know how to get the generator token. The available setting probably would be very irritating for them.
• TUfast itself makes your Uni login pretty unsafe. Anyone using your computer has access to all logins without even trying. There are enough attack surfaces already. 2FA would add at least some security.
• Autofilling your tokens would make 2FA totally useless.
• TUfast crypto is already pretty wonky (technical reasons, not by choice) and by far not unhackable. Adding 2FA in the mix and the damage when a user gets "hacked" increases massively.

If you want to, you can use other password managers like Bitwarden for storing and even autofilling your tokens. This is by far more secure than anything TUfast will every be able to achieve.

[OliEfr]

I think integrating a 2FA-workaround (if only for hardcore-users) in TUfast would technically be challenging.

[C0ntroller]

I think integrating a 2FA-workaround (if only for hardcore-users) in TUfast would technically be challenging.

I don't think it would be. Technically, TOTPs are not that complicated and there is probably already a JS library to create them.

And I want to say what I said is my personal stance on this matter. I saw some other reactions on Discord indicating more people do want this. If there are enough, we could do this.

But there are bigger issues first, like we desperately need to change our JS-bundler...

[OliEfr]

Sounds really interesting to me.

Maybe it's an idea to implement it for opal, but not for more 'critical' services such as selma (or other places where personal data is stored / changed), if that makes sense.

[OliEfr]

Closed with #131