Yubikey two factor auth can be bypassed

[jippi]

Hi,

I have just got my yubikey, and I'm testing it with masquerade, it got asociated just fine, however, even if I attach a yubikey to my account, I'm still able to login with just my normal password...

so, I can login both with just my password, or my password+yubikey

I think it would make sense only to be able to login with password+yubikey once an account has been associated with such.

[dennisreimann]

The yubikey is only an additional factor for multifactor authentication. You can see the PAPE specs for more information on that: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html#auth_policies

In its current state, this is just a proof of concept implementation.

[jippi]

Okay.

How big of a change would it be to check if the current_user.has_yubikey? and don't allow logins without the yubikey appended to the password? :) That would more or less fix the issue.. it's false security if you can use both your normal password and the password+yubikey :)

[dennisreimann]

Like I said: Currenty it's supposed to be an additional factor for multifactor authentication (if the relying party) requires that - so it isn't neccessarily false security. We'd have to add a flag to the user profile so that the user can choose to always require password+yubikey.

[jippi]

That would be cool! :)

[dennisreimann]

Go ahead if you like to implement it :)

[jippi]

I may give it a try, but I only have 2 months of experience with ruby / rails :)

[djmaze]

Hey guys,

I already wanted to implement that feature myself. Maybe I will do it over the weekend ;-)

Greetz

[dennisreimann]

Nice, thank you!

[jippi]

Awsome!

[djmaze]

Done in 2c40481811166e346f7f331a736e69f3abbc24a3

[jippi]

Niiice!

Thanks 100^1000

[dennisreimann]

great, thank you :)