Allow auth via TOTP

[strugee]

What the title says. This is very, very similar to the existing email authentication scheme, where the user is sent a one-time code.

[strugee]

Also, to clarify, TOTP is the algorithm that e.g. the Google Authenticator app implements, and it's what most websites use for "two-step verification" features.

[ocdtrekkie]

A six digit number may be inadequate as a single-step authentication method. I don't think standard TOTP would be quite adequate there, you'd need something a bit more robust.

[strugee]

@ocdtrekkie why? I think it'd be fine, given proper rate-limiting.

[kentonv]

TOTP has a critical difference from e-mail: TOTP doesn't authenticate any particular global identifier, whereas e-mail authenticates an e-mail address. You could pair TOTP with a unique username chosen on first login, but such an identity would be local to one particular server. In order to enable federation, we really want a Sandstorm identity to be global, such that any server can authenticate it without trusting any other server.

TOTP could, of course, be used as a second factor, which is what it's meant for. We have plans to add that eventually.

[zarvox]

I'm personally thrilled about two-factor authentication, either with TOTP, or something like FIDO U2F. :)

For more information and a past discussion (including some nudges towards what we'd consider smart implementation strategies), see https://groups.google.com/forum/#!searchin/sandstorm-dev/2FA/sandstorm-dev/0oW2uiW9nI4/IxvyU5dbCgAJ

[strugee]

@kentonv ah sorry, should have clarified that's what I was proposing. Specifically I was imagining signing up via email, adding phone authentication, and then being able to log in via phone authentication without opening email.

[lusealover]

any looks on 2factor?

[strugee]

@lusealover this issue is broader than just 2-factor auth. That being said if you could refrain from asking questions like that, that would be great - they don't really add to the discussion and just create more email for the people subscribed to this issue and watching this repository.

Thanks!

[vladionescu]

In the case of an air-gapped Sandstorm instance, TOTP or some other code generator is preferable to email (at least, for my use case).

If it was rate limited to 3 tries per TOTP refresh period (typically 60 seconds), 3/1_000_000 are good odds for resisting brute force.

I'm going to explore adding this in, but figuring out Sandstorm's authentication code has been challenging. Are there any notes somewhere I could use to get up to speed on how the various auth providers are implemented?

[ocdtrekkie]

Sandstorm developers tend to express a lot in the code comments. There hasn't been documentation written explicitly on how to create new authentication methods for Sandstorm, but it's likely anywhere the authentication code exists there is pretty decent comments on what's being done.

[vladionescu]

Is there a "simplest" auth provider I can figure out? I spent a few hours on the email token implementation yesterday and mostly have it but it's still obtuse and feels like there's a lot of opinionated implicit magic happening, and I'm not sure if that's because that's just how it is with Meteor or if I'm missing some critical glue code.

[ocdtrekkie]

Sandstorm generally uses Meteor's account packages where possible, and I think in some cases does pull in the public Meteor packages for like GitHub and Google login. Sandstorm is very opinionated about authentication, in that Sandstorm doesn't like to be responsible for it. (Which is why there's no straight username and password option, for instance.)