OTP via Telegram

[mo7och]

Hello Cornelius!

What about sending OTP via telegram-bot? It is more secure chanel than sms,email and etc.

Ther is Telegram-Cli

[cornelinux]

I like this idea a lot. In fact I think we do not need the CLI as there is the bot API: https://core.telegram.org/bots/api

In the end it is similar to the HTTPSMSProvider. (https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/smsprovider/HttpSMSProvider.py#L100) The OTP is simply handed to just another web API.

In fact we could also use it as an SMS token type but only replace the SMSProvider.

We probably need to save the configuration for the authentication at the telegram bot api and just use the API :-)

Don't you want to give it a try?

[mo7och]

Awesome! When do you plan to release this feature? Or maybe we can modify somehow SMS Provider for bot API now ?

[cornelinux]

lol

I think you misunderstood me.

I did not mean to give it a try to test it, but rather to give it a try to implement it. The biggest part is reading and understanding the telegram API. Doing the REST API call is pie.

[mo7och]

=) yep My english skills isn't perfect. I'll wait this feature with impatience!

[cornelinux]

I believe that ;-)

[cornelinux]

Hi @borschoff, I think we are on the wrong track: https://core.telegram.org/bots#4-how-are-bots-different-from-humans

"Bots can not initiate conversation with users." I.e. privacyIDEA can not send an OTP via Telegram to the user. The user would have to request an OTP value: "A user must either add them to a group or send them a message first."

This does not sound like usability to me! I would have to open Telegram and request an OTP value to be able to login...

[arieljannai]

@cornelinux I found this issue since I searched for a way to get my OTPs from Telegram instead of SMS. Just a little thing about:

I would have to open Telegram and request an OTP value to be able to login...

It's not entirely correct: The user should first send a message to the bot to start a conversation with it, but afterwards the bot can send the user messages as long as the user haven't stopped the bot. So after the first "signup" via the bot, the user doesn't have to ask the bot for OTPs - the bot can send it to him when suitable (depends on the specific case, but might be after asking from OTPs on the web?).

Maybe I didn't understood it correctly since I'm not familiar with that project, so just you'll know the user must interact only in the first place, and then - whatever you want.

I know I would love to see such feature in any place I need OTPs (at least the ones I use daily)

P.s Sorry for bumping it after more than a year

[ibroos]

can any one help step by step process of OTP via telegram

[michaelwulz]

Hello, pls. give a status to the OTP sending via Telegram Bot. I think this could be a nice feature, so provide OTP via a secure channel. Is there any beta version already implemented and ready to test?

I use some services with Telegram bots like zabbix, solarwinds and so son. They work very well and do a great job.

regards

[malexeyc]

can any one help step by step process of OTP via telegram

1. admin creates a new bot by @BotFather in Telegram
2. admin saves HTTP API token of new bot
3. admin creates a new SMS gateway Providermodule 'privacyidea.lib.smsprovider.HttpSMSProvider.HttpSMSProvider' with Parameters CHECK_SSL yes HTTP_METHOD GET RETURN_FAIL "ok":false RETURN_SUCCESS "ok":true SEND_DATA_AS_JSON yes URL https://api.telegram.org/bot/sendMessage and Options chat_id {phone} text {otp}
4. user creates new chat with new bot (creates in step 2) in Telegram and also must get their 'user_id' ('chat_id'), example, by @getmyid_bot
5. admin or user enrolls new SMS token where 'phone number' is 'user_id' and 'A token specific SMS gateway' is gateway from step 3
6. user authenticates on service and get OTP by Telegram