feature request: two-factor authentication

[juliuste]

Whoever has access to a froide user account can send letters to any government agency under the name of the user account's holder. This is especially problematic for FOI requests that are automatically signed with a signature previously uploaded by the user, which is done when froide automatically sends a fax instead of an email for authorities that require requests to be submitted in "written form" (which is a cool feature, by the way!).

I therefore believe that it would make sense to introduce (opt-in) two-factor authentication, to decrease the risk that anyone could gain access to another user's account and send out signed letters to government agencies, which, in turn, would probably not question the authenticity of such a message immediately, given the fact that it was issued via FragDenStaat.

I'm not arguing for 2FA via SMS here - that would be relatively expensive, besides not really being safe in the first place. Something like TOTP on the other hand, which is used by many popular services, might be relatively easy to integrate, since suitable django plugins probably already exist (?).

PS: Thank you for building and maintaining this service :green_heart:

[rugk]

TOTP or/and then (the way better) WebAuthn. :+1:

See https://webauthn.guide/

[stefanw]

I've been looking into this for some time and there are some Django apps around that provide TOTP or WebAuthn. Ideally, I'd like to use an app that can do both, integrates nicely without too much overhead and has some maturity. I have not found that in the past.

[rugk]

https://github.com/xi/django-mfa3 (just leaving this here, "stolen" from https://github.com/desec-io/desec-stack/issues/316#issuecomment-1023141155)

[stefanw]

Thanks @rugk,I like that project, small enough to see what's going on (despite all the mixins and subclassing). I plan to merge this week and test it out with our staff members.

[juliuste]

@stefanw just to double-check in case I'm dumb: The feature is not enabled yet, right? 😄

[stefanw]

It wasn't visible before, but should now be visible to all users in the settings: https://fragdenstaat.de/account/settings/#mfa

[rugk]

When adding a hardware key I get a second step and need to authenticate myself (I guess to add the hardware key). However, I can just use the hardware key I just added to authenticate myself? :upside_down_face:

[stefanw]

How's that a problem?

[rugk]

I thought the reason for that authentication prompt was that no foreign user or so could maliciously add an authentication factor to lock out the user of the account...

Similarly to the sudo mode that GitHub shows you when you visit https://github.com/settings/two_factor_authentication/setup.

So if that were the case, obviously authenticating with a just added factor does not help a lot...

[stefanw]

In your case a second factor has already been added, so if you are malicious, the real user is already locked out.

Our 'sudo' mode prompts for recent authentication on certain actions when a second factor has been added. Details in German here:

https://fragdenstaat.de/hilfe/ihr-konto-verwalten/zwei-faktor-login/

[juliuste]

(fyi) I submitted a PR to 2fa.directory, so password managers etc. should be able to automatically show users that 2fa is available for FragDenStaat: https://github.com/2factorauth/twofactorauth/pull/6733