search

mysociety / alaveteli

Provide a Freedom of Information request system for your jurisdiction
https://alaveteli.org
Other
387 stars 195 forks source link

Two factor login authentication for all administators and users who opt-in #4093

Open RichardTaylor opened 7 years ago

RichardTaylor commented 7 years ago

Currently there is an option of two factor authentication for administrators resetting passwords; but there isn't two-factor authentication for every login.

Related: Increase security of superuser accounts #2697

garethrees commented 7 years ago

This was by design as we felt that needing a copy of the recovery keys for every login would be pretty annoying, and also insecure as you'd have to carry codes around. SMS works better for this as you only have a valid code on you for 30 seconds or so before you log in.

What's your thinking behind this?

I think using Google Authenticator would make most sense if we wanted to support this, but I don't know what the implication would be for Alaveteli installs in less developed countries.

RichardTaylor commented 7 years ago

I raised this ticket as a result of noting the the current two-factor authentication system (which protects password resets) with new volunteers and others and observing it's not perhaps what might be expected when one says two factor authentication is a feature the system has. So I thought I'd add a ticket for discussion of a broader implementation of some form of two factor authentication.

I agree codes would be a hassle. Presumably an app or texts would be the way to go.

mbimmler commented 7 years ago

Ideally I think the system would offer the use of either Google Authenticator or a (flash) SMS... Given how widespread mobile phones are even in the Global South, I think the chances of someone who is an Alaveteli super user not having access to a mobile phone that can receive SMS is fairly low - it'd at least be a good fallback if Google Authenticator is not available to someone.

garethrees commented 7 years ago

RE: SMS, its more that there's an extra cost and complexity burden for partners in setting up a service to handle it.

RichardTaylor commented 2 years ago

Caution two factor authentication can impact accessibility, see thread

https://twitter.com/blaine/status/1465726248873648136

It should be OK as an opt-in option though, and for administrators.

RokeJulianLockhart commented 1 month ago

https://github.com/mysociety/alaveteli/issues/4093#issuecomment-314043913

@RichardTaylor, you mention SMS and recovery secrets. You even mention rotating authentication keys. However, instead of Google or Authy's proprietary secrets protocol, have you considered the standardized TOTP specification?

It is commonplace, and operates offline.