Feature request: 2factor authentication

[Dubz]

I'm not sure if anyone knows of anything, but I am in need of enabling 2factor authentication for agents. I'm not sure if a solution already exists for this or not, but it is a pretty common demand for web applications these days.

My current setup involves the LDAP plugin for adding/authenticating users. I need to add some sort of two factor authentication to this as well, primarily for agents (I wouldn't let users have them, since they'd lose them). I'm okay with using TOTP codes, such as Google Authenticator, but I'm also open to alternatives. We have Duo for logging into other things, but this is only available for agents and not clients. The current LDAP plugin wouldn't work for this. I may be able to use a multi-ldap plugin to achieve this, but I'm mostly just looking for any solution right now.

[greezybacon]

I would recommend looking into Duo (duo.com). Their solution is relatively easy to integrate in to web applications and is very simple to use.

[Dubz]

I'm well aware of duo and it's ease from a user's perspective. This isn't anything new to me.

My point is, how can a piece of software in 2018 not have 2faftor authentication?? It's not hard to implement this at all, I'm just too unfamiliar with this source to do it myself.

Implementing a standard TOTP is so simple to do, yet this doesn't even have any plans for it??

Not trying to be rude at all, but come on now. This is missing some basic necessities. Mobile friendly design being another one of them. Perhaps if it was more up to par with certain things, there support, both user and development, would be much better. The lack of these makes me believe the project is dying off and should be avoided...

[ntozier]

Q: My point is, how can a piece of software in 2018 not have 2faftor authentication?? A: well you are the first person I have seen request it, and it was only 2 days ago...

Q: Implementing a standard TOTP is so simple to do, yet this doesn't even have any plans for it?? A: two things.

1. Since this is simple to do, then I look forward to your PR to add it to the project. I would recommend that you do so in the form of a plugin.
2. Please direct us to the thread that supports the statement "yet this doesn't even have any plans for it".

"This is missing some basic necessities." I recommend that you evaluate the software and if it does not meet your needs then you should look for a piece of software that does meet your needs.

"Perhaps if it was more up to par with certain things, there support, both user and development, would be much better. The lack of these makes me believe the project is dying off and should be avoided..." This appears to be your opinion. If you believe that to be true then you should really re-evaluate your choice to use this product.

Best of luck in your search to find a better free alternative.

[Dubz]

"well you are the first person I have seen request it, and it was only 2 days ago..." Actually, someone did mention this in https://github.com/osTicket/osTicket/issues/3774 but there's nothing else. I know I can't be the only one who would want to implement this either...

"Since this is simple to do, then I look forward to your PR to add it to the project." I would, but I'm not familiar enough with this application's scripts to do this quickly and efficiently. Plus I'm sure there are others who are familiar with it enough to be able to do this neatly with the system. I did fork the original repo to look into adding this, but the argument presented to defend against the use of security made me lose interest instantly. "I would recommend that you do so in the form of a plugin." That's pointless, it should be a core feature. Claim it's my opinion, but so is using it once it's added. It should still be offered from the start without additional plugins.

"Please direct us to the thread that supports the statement "yet this doesn't even have any plans for it"." How about the fact that there is nothing done for the past year since the previous mention of it that I kindly linked for you above (since I was "the first"). No mention of adding it, and the fact it isn't there. It was brought up before, but still non existent.

"Best of luck in your search to find a better free alternative." The fact you're using the argument of this being free as an excuse to lack on basic security makes me question this software altogether. There's no point in using something that doesn't care for security, even if it is free.

[ntozier]

"but the argument presented to defend against the use of security made me lose interest instantly." What argument was that?

"That's pointless, it should be a core feature. Claim it's my opinion, but so is using it once it's added. It should still be offered from the start without additional plugins." That is your opinion. However I would point to the slew of other alternative authentication system plugins to back up my statement that this should be a plug in.

"How about the fact that there is nothing done for the past year since the previous mention of it that I kindly linked for you above (since I was "the first"). No mention of adding it, and the fact it isn't there. It was brought up before, but still non existent." So your utilization of the scientific method tells you that a lack of a public statement means that something didn't happen or does not exist.

"The fact you're using the argument of this being free as an excuse to lack on basic security makes me question this software altogether. There's no point in using something that doesn't care for security, even if it is free." There is in fact no argument against "basic security" in this thread. There is also no argument against "advanced security" or any other adjective that you wish to throw in front of the word Security. You said that the software does not meet your needs so I invited to re-evaluate as to if the software met your needs and wished you luck in your search to finding a better free alternative.

[kernelion]

I'm not sure if anyone knows of anything, but I am in need of enabling 2factor authentication for agents. I'm not sure if a solution already exists for this or not, but it is a pretty common demand for web applications these days.

My current setup involves the LDAP plugin for adding/authenticating users. I need to add some sort of two factor authentication to this as well, primarily for agents (I wouldn't let users have them, since they'd lose them). I'm okay with using TOTP codes, such as Google Authenticator, but I'm also open to alternatives. We have Duo for logging into other things, but this is only available for agents and not clients. The current LDAP plugin wouldn't work for this. I may be able to use a multi-ldap plugin to achieve this, but I'm mostly just looking for any solution right now.

Hi Dubz. Did you finally found any 2FA solution for you osTicket deployment? I did a big search regarding 2FA, even used some OAUTH plugins with no luck. Found people willing for 2FA since 2015, with no luck. Even sent requests to programmers to create a 2FA plugin as a custom project with no good responses.I even created my own php code with Google Authenticator, but I want something better if not with even SMS support.