search

ircv3 / ircv3-ideas

46 stars 3 forks source link

expose two-factor auth through SASL #65

Open jesopo opened 4 years ago

jesopo commented 4 years ago

i have absolutely no idea how this would work

SadieCat commented 4 years ago

Is there an existing SASL mechanism for this that we could adapt for IRC?

jesopo commented 4 years ago

https://tools.ietf.org/html/rfc2808 from a google

DarthGandalf commented 4 years ago

I once had a proof-of-concept OTP support for ZNC, but it abused password instead of doing SASL: https://github.com/znc/znc/pull/1348

SadieCat commented 4 years ago

Hm: https://tools.ietf.org/html/rfc2444

hhirtz commented 4 years ago

Note that you don't need a new spec to have 2FA. For example, you could have a client and a server implement the OAUTHBEARER or OAUTH10A SASL mechanisms: https://tools.ietf.org/html/rfc7628#section-3

These allow for users to authenticate via services that already have 2FA.

vanrein commented 3 years ago

A set of widely adopted standards for 2FA are HOTP for event-based codes, TOTP for time-based codes and the much more complicated OCRA challenge/response system.

Somewhat surprisingly, these mechanisms have no current definition as SASL mechanisms. It is relatively easy to add a mechanism though. However you should note that, since the passwords can be derived on the server, any password mechanism would be usable.

The only complication would be that some variation is advised to allow for missed HOTP events or for clock skew in TOTP. to make it 2-factor, one would add a password on top of the 6/7/8 digits generated by the mechanism. The complication means that a few well-defined checks would be done on the server, not just a single one; this can complicate the software flow somewhat in comparison with normal SASL implementation flows.

FWIW, I am working on a specific TOTP mechanism as part of the InternetWide.org as part of our HAAN mechanism. This can be useful for instant anonymous IRC user names.

Also, we are preparing software that allows Realm Crossover for SASL as part of our InternetWide Identity system. IRC could be an interesting use case, replacing the NICK system with the ability to use self-hosted client@domain.name identities.

DarthGandalf commented 3 years ago

I recently saw this: https://tools.ietf.org/html/draft-melnikov-scram-2fa-01