search

justingit / dada-mail

Self-Hosted, Full Featured, Email Mailing List Manager. Announcement + Discussion Lists, Web-based Installer, Installs with minimal dependencies, sendmail/SMTP/Amazon SES supported
https://dadamailproject.com
GNU General Public License v2.0
169 stars 39 forks source link

Consider adding Two Factor Authentication (2FA) using the Time-based One-time Password Algorithm (TOTP) #994

Open frederickjh opened 3 years ago

frederickjh commented 3 years ago

This would be a security enhancement to allow users to use an app like the Google Authenticator, Twillio, Keepass2Android and many others to add two-factor authentication to their user account.

I would suggest that when two factor authentication is added to a user's account, that the user no longer be required to do a recaptcha during the login process, as TOTP is more secure than it.

I found this one file implementation j256/perl-two-factor-auth of this for Perl that may be of help in implementing this.

Thanks for your consideration of this security enhancement to Dada Mail. Frederick

justingit commented 3 years ago

I found this one file implementation j256/perl-two-factor-auth of this for Perl that may be of help in implementing this.

I like the idea of 2FA, but showing a QR code is not really 2FA, since it can be read on the computer that's showing it. You'd instead want to use a txt message, a phone call, something that can only be accessed by a separate device.

frederickjh commented 3 years ago

but showing a QR code is not really 2FA

@justingit I think you misunderstood this as the QRcode is only for the initial setup of the key and using a QR code is a common way to do this so that the user does not have to type a long string into their device from the computer. Take a look at the apps that generate the TOTP and you will find for the initial setup that most if not all allow scanning a QR code to setup a new TOTP.

Text messages and calls have been shown to be easy intercept using SIM cloning so combined with a phishing attack can be less secure than scanning a QRcode from the screen of a browser that is connected to a website using a SSL certificate.

justingit commented 3 years ago

Ah OK. I guess that still leads needing to setting up the txt/automated phone call gateway, which isn't so easy to do as a free service. I'm not super excited to fit that bill.

justingit commented 3 years ago

Authy may be an option: https://metacpan.org/pod/WWW::Authy

frederickjh commented 3 years ago

I would prefer a system that allow the user to choose what program or company they trust to store and generate TOTP. Maybe I understand this library for accessing the Authy API, which I am guessing then does the heavy lifting. I used Authy in the past and although they say that all your data is encrypt so they cannot access it I prefer to self-host and self-sync any login credentials. If this would lock one into using the Authy service for TOTP then I wouldn't use it.