search

ownpass / api-server

The OwnPass server application.
https://ownpass.io
7 stars 3 forks source link

Two-Factor authentication #11

Open waltertamboer opened 7 years ago

waltertamboer commented 7 years ago

As an extra layer of security we will support 2FA. Github has described a nice way of handling 2FA in combination with OAuth.

https://developer.github.com/v3/auth/#working-with-two-factor-authentication

ei8fdb commented 7 years ago

I agree it would be very useful, especially for those who are...more security conscience.

The main thing to consider is what device to use: a smartcard type device (gpgcard, Yubi key) with some fingerprint or cert, a smartphone app or a OTP (like google authenticator or SMS).

Using SMS would require ongoing cost.

My personal preference would be to support hardware devices like Yubikeys (because I use one :) ) and an open source smartphone app that provides One Time Passcodes.

I'm searching for figures on the most widely used implementations, but haven't found anything yet. The best so far I can find is:

  1. an article from PC Mag talking about Lastpasses support for a wide range of 2FA implementations
  2. an article covering KeePass's 2FA support
  3. YubiKey's support for both individuals and enterprise users

In terms of UI design there will (more than likely) be design patterns that can be used for these interactions. Its probably best to copy already used patterns as there's a better chance they'll be familiar to users.

waltertamboer commented 7 years ago

Good feedback, thanks! I think we should start with an OTP implementation in combination with a smart phone app. Simply because it's the easiest to implement (I've done it before). I would definitely prefer to implement all variants. Personally I don't own a hardware device so making an implementation is a bit difficult for me.

ei8fdb commented 7 years ago

Good feedback, thanks!

No problem. You're welcome!

I think we should start with an OTP implementation in combination with a smart phone app.

Agreed.

Personally I don't own a hardware device so making an implementation is a bit difficult for me.

It's very easy to get one. Yubico often give them away at conferences, events. Possibly at FOSDEM next year if you're there.

I'll try and find some examples of design patterns for their use.