[FR] Two-Factor Authentication

[r0l1]

Adding another layer of security to the authentication system would be a great addition (OTP).

Do you want to develop this? No, but we are open to create an open-source bounty.

[matmair]

@r0l1 I already integrated SSO via external providers - so you could rely on Azure AD for enforced MFA with conditional Access / Zero Trust. If you feel that is not enough could you specify what kind of OTP you are missing and how it should affect behaviour?

[matmair]

@r0l1 maybe check out https://inventree.readthedocs.io/en/latest/settings/global/#login-settings and all the provided providers of Django-allauth

[r0l1]

@matmair thanks for the fast response. We won't integrate any third-party SSO provider, because that's less secure than a local password with 2FA. Adding support for the AndOTP/FreeOTP Android Apps would be great. See: https://en.wikipedia.org/wiki/Help:Two-factor_authentication

Edit: That's also compatible for all the other platforms.

how it should affect behaviour?

Would be great to require the TOTP code after the password login.

[matmair]

@r0l1 always depends on how your system is build. A fully setup AAD environment with a proper PKI, full ATP on each endpoint and zero trust configured right for users and devices is pretty secure. But that is more of a bank or Fortune 500 setup.

TOTP is as manufacturer agnostic as you can get (aside of webauthn maybe) and not to bad integration wise. I have done that before. How fast do you need it? ATM I am more focused on the whole plugin ecosystem but if it is a deal-breaker I can maybe try to do it on the weekend.

[r0l1]

always depends on how your system is build. A fully setup AAD environment with a proper PKI, full ATP on each endpoint and zero trust configured right for users and devices is pretty secure. But that is more of a bank or Fortune 500 setup.

True point. However if you do not trust third-party setups and host everything yourself, I would prefer to handle authentication on self-hosted servers. Azure had multiple serious issues... (Example). Adding a plain 2FA would be a simple solution for my case.

TOTP is as manufacturer agnostic as you can get (aside of webauthn maybe) and not to bad integration wise. I have done that before. How fast do you need it? ATM I am more focused on the whole plugin ecosystem but if it is a deal-breaker I can maybe try to do it on the weekend.

Thanks for the offer. It's not too urgent. Inventree is already running on our server and we are currently facing other issues which are more important. How difficult would this feature be?

[matmair]

. Azure had multiple serious issues... (Example).

That one was fun :-). Was so glad that I do not have workloads on Azure. I would still argue that their zero trust access solution is one of the best hybrid solutions on the market. AD stays local but the MFA and zero access stuff is handled in the cloud. Passwordhash sync and limited object sync ensure the needed info is up in the cloud. Also safes you from Exchange on-prem which is just a no for me.

Adding a plain 2FA would be a simple solution for my case.

Using TOTP or token devices?

Thanks for the offer. It's not too urgent. Inventree is already running on our server and we are currently facing other issues which are more important.

What kind of issues? Have you filed issues? Feel free to ask questions here or to me if something is not working.

How difficult would this feature be?

Not to bad. Had a look at a few libraries, don't like one or two things but maybe 4-6 hours? Shouldn't be to bad for TOTP or HOTP. Yubikey also seems easy - would have to think about how to do unittests. The main difficulty is to not interfere with our SSO-features and token-auth.

[r0l1]

That one was fun :-)

Yeah ^^ But sadly also quite scary. That's why I am a huge fan of open source software and self hosted solution.

Was so glad that I do not have workloads on Azure. I would still argue that their zero trust access solution is one of the best hybrid solutions on the market.

I am not too familiar with their solution.

Using TOTP or token devices?

Time-based One-time Passwords (TOTP) or HMAC-Based One-Time Passwords (HOTP). We are using authentication Apps like AndOTP or FreeOTP.

What kind of issues? Have you filed issues? Feel free to ask questions here or to me if something is not working

Thanks for asking. Currently the BOM feature limits us. See: https://github.com/inventree/InvenTree/issues/2042#issuecomment-950733340

Not to bad. Had a look at a few libraries, don't like one or two things but maybe 4-6 hours? Shouldn't be to bad for TOTP or HOTP. Yubikey also seems easy - would have to think about how to do unittests. The main difficulty is to not interfere with our SSO-features and token-auth.

Sounds good :) How are bounty requests handled here? I would start an initial small bounty to get the BOM issue fixed.

[matmair]

Thanks for asking. Currently the BOM feature limits us. See: #2042 (comment)

That seems to be more than one thing, we are refactoring rn.

Not to bad. Had a look at a few libraries, don't like one or two things but maybe 4-6 hours? Shouldn't be to bad for TOTP or HOTP. Yubikey also seems easy - would have to think about how to do unittests. The main difficulty is to not interfere with our SSO-features and token-auth.

Sounds good :) How are bounty requests handled here? I would start an initial small bounty to get the BOM issue fixed.

TOTP should be done tomorrow, putting together unittests. Bounty requests are somewhat new for this org (at least for me). Please connect with @SchrodingersGat on that - He started this project and is the maintainer.

[matmair]

@r0l1 MFA is now in review and should be in the next release 0.6.0; that could take up to a month. I do not recommend to run the current master as it is not stable and there are major changes

You can check out the new feature through gitpod, see the link in the first comment in #2221

[matmair]

MFA is default off and needs to be enabled through the gloabal settings -> Enforce MFA

[r0l1]

@matmair sorry for the delayed response. Thanks a lot for the implementation! I'll have a look at it soon!