Open jesopo opened 4 years ago
Is there an existing SASL mechanism for this that we could adapt for IRC?
https://tools.ietf.org/html/rfc2808 from a google
I once had a proof-of-concept OTP support for ZNC, but it abused password instead of doing SASL: https://github.com/znc/znc/pull/1348
Note that you don't need a new spec to have 2FA. For example, you could have a client and a server implement the OAUTHBEARER or OAUTH10A SASL mechanisms: https://tools.ietf.org/html/rfc7628#section-3
These allow for users to authenticate via services that already have 2FA.
A set of widely adopted standards for 2FA are HOTP for event-based codes, TOTP for time-based codes and the much more complicated OCRA challenge/response system.
Somewhat surprisingly, these mechanisms have no current definition as SASL mechanisms. It is relatively easy to add a mechanism though. However you should note that, since the passwords can be derived on the server, any password mechanism would be usable.
The only complication would be that some variation is advised to allow for missed HOTP events or for clock skew in TOTP. to make it 2-factor, one would add a password on top of the 6/7/8 digits generated by the mechanism. The complication means that a few well-defined checks would be done on the server, not just a single one; this can complicate the software flow somewhat in comparison with normal SASL implementation flows.
FWIW, I am working on a specific TOTP mechanism as part of the InternetWide.org as part of our HAAN mechanism. This can be useful for instant anonymous IRC user names.
Also, we are preparing software that allows Realm Crossover for SASL as part of our InternetWide Identity system. IRC could be an interesting use case, replacing the NICK system with the ability to use self-hosted client@domain.name
identities.
I recently saw this: https://tools.ietf.org/html/draft-melnikov-scram-2fa-01
i have absolutely no idea how this would work