search

composer / packagist

Package Repository Website - try https://packagist.com if you need your own -
https://packagist.org/
MIT License
1.75k stars 476 forks source link

[RFC] Two-Factor Authentication #1020

Closed colinodell closed 5 years ago

colinodell commented 5 years ago

Would you consider implementing two-factor authentication to help protect accounts of package publishers? I don't have any specific implementation in mind - I just know that other package manager sites (like npm) allow 2FA and it seems like a good security measure.

hopeseekr commented 5 years ago

I think I'll go ahead and implement the PR for this, at least using The Time-based One-Time Password algorithm (TOTP), RFC 6238, basically the same thing that's compatible with Google 2FA.

Once I begin in earnest, I'll update this issue. Of course, it'll be in my fork without any guarantee this project will actually merge it.

alcohol commented 5 years ago

I think any reasonable PR which introduces 2FA would be welcome. Anything that is compatible with apps such as Google Authenticator (or Authy, preferably) would be good. Definitely not mobile text message based or such as we do not have the resources to work with that.

stof commented 5 years ago

a TOTP implementation would support both Google Authenticator and Authy automatically, as they are both TOTP apps (and would also support other TOTP apps)

colinodell commented 5 years ago

I've begun working on a TOTP implementation and hope to have that ready for review soon.

Would there be any interest in also allowing email-based 2FA and/or backup codes?

stof commented 5 years ago

IMO, backup codes are indeed useful, to prevent locking someone off their account entirely if their phone with the TOTP app gets stolen (and they don't use a TOTP app supporting backup of the config like Authy does).

thePanz commented 5 years ago

Are you planning to display the RFC 6238 key too, apart from embedding it into the QR code? Apps like KeePassXC can be used to generate TOTP, but can not scan QR codes

alcohol commented 5 years ago

I don't see why not. QR code should not be leading functionally speaking, it should be an additional feature. As you said, not all apps support QR code as input.

colinodell commented 5 years ago

Good call! I have updated my PR to expose the key: https://github.com/composer/packagist/pull/1031#issuecomment-540543058

TheArKaID commented 2 years ago

Umm guys, I lost my 2FA and also my backup code so that I cannot pass the 2FA screen. Is there any other way to log in ? Something like Reset Password that sent to the email ?

Seldaek commented 2 years ago

@TheArKaID I disabled it for you, but please use contact@packagist.org for such support enquiries.