Closed Anyeos closed 4 years ago
Searching and searching I finally found something: 1- The web app (Symfony) creates a QR code with a key. 2- The user scans it with some app on him/her phone. 3- Both, the web and the phone app will have the same key saved. 4- Both, the web and the phone app will generate a 6 digits code. 5- The user inputs that code on the web and 6- The web finally checks that code with the internal one.
The 6 digits generated code will be the same because both (the web and the phone app) uses the same references: The QR key and the time. The laked part here was the "time". I just don't figured out that it is possible to have the same time on both sides (or almost the same because there are something than 30 seconds of margin).
I think is important to write a quote on the documentation just to clarifying the above. Then will be possible for new comers like me understand it faster.
Searching and searching I finally found something: 1- The web app (Symfony) creates a QR code with a key. 2- The user scans it with some app on him/her phone. 3- Both, the web and the phone app will have the same key saved. 4- Both, the web and the phone app will generate a 6 digits code. 5- The user inputs that code on the web and 6- The web finally checks that code with the internal one.
This is the Time-Based One-Time Password (TOTP) algorithm and Google Authenticator is a very popular specific implementation of this algorithm with a 30sec time period and 6-digit codes. TOTP is more flexible.
But TOTP is just one of many methods to implement two-factor authentication. Providing the integration of two-factor authentication and the Symfony framework is the goal of this bundle. And since they're so popular ist comes out-of-the-box with Google Authenticator, the more generic TOTP and code via email as two-factor authentication methods.
I think is important to write a quote on the documentation just to clarifying the above. Then will be possible for new comers like me understand it faster.
Added some cross-links in https://github.com/scheb/two-factor-bundle/commit/14b5d78a81fd1d81d351cf8d6ae7a2c3ab4f7c92 => Better?
If you find any resources out there which do a great job in explaining two-factor authentication, Google Authenticator or TOTP, I'm happy to link them.
I found this: https://security.stackexchange.com/questions/35157/how-does-google-authenticator-work
I think your link additions are very useful. I just din't found that information as first search. So thank you.
It is better now, of course.
Next is only a suggestion. I don't want you to change your mind or something like that. I am very thankful for your effort of making such project.
I just saw that each 2fa method is different. For example, using SMS is simply sending a code from a server delivering it to the phone line at the cellphone of the user. But TOTP is another story: The user have an app on the phone that receives and saves a key. Next uses that key to generate the code based on time. That is a completely different process. The user need a smartphone, but with a SMS he/she can use a standard phone. And HOTP is another way, similar but not the same as both above.
The point is that above made me some confused on how to proceed. Maybe I am wrong (I am just learning this thing of 2fa right now) but maybe the documentation (and the project itself) needs to trace a line or separate that things very well (some as modularized? I don't know).
I only want to make you know what made me miss on the way. It is hard to figure out that there are a lot of 2fa authentication methods that are very different one for each other. So in the place where says that must create a QR code was hard to me to figure out how to really proceed with that on my code. Because I use my own logic to protect my web site it is not the same for me to implement a 2fa with SMS or using a TOTP. I think there can be a generic procedure way for doing that on Symfony that this bundle can achieve.
Maybe the steps can be something like this: 1- Create a "token" (it will include all what we need). 2- Show to the user the form element (or include it on some place). 3- Check
These three steps may be achieved in code as follows: Note: I called it "token" because I don't know what name give to it. But I hope it is understandable.
1- On a Controller create the "token". $user->Set2FAToken(TwoFactorInterface->CreateToken()); On this step we must make persist the token object to the user. The "token" object can be another new Entity with the corresponding fields (arbitrary fields that depends of each 2FA method used that we don't care here).
2- render the form (2fa_login) to the user (On the same controller) and wait to the user to POST the code. On this step if there are a QR code the bundle will show it. If there are waiting for a SMS it will not show a QR but the input box, and so.
3- On the same controller when the form is valid verify the supplied code by the user. if ($user->get2FAToken()->getCode() === $form['code']->getData()) { ... }; We can proceed succesfull or not. If not we can create a new "token" starting again or we can show the user the form newly with a message of no success.
I guess with my suggestion we don't need to worry about what kind of 2FA method we are using when coding the authentication part and there are only 3 steps to take care and all steps on the same Controller.
Of course, we need to create a separate entity to save the fields of the 2FA method what we are using. But that is not a problem I think and it is good idea because we can have the things more ordered.
I don't know if you want a more low level implementation then my suggestion can be implemented on another bundle maybe. But I think what I am proposing is not a bad idea anyway.
Note: The above code is only for example purposes of the concept what I am trying to explain. Don't take it as literal because can be some wrong.
What you're suggesting - a more generic implementation of 2fa - is exactly what the bundle does. In its core it is providing a generic interface to implement any 2fa method you want. See hwo the interface for custom 2fa methods works.
Besides this generic interface, it automatically comes with Google Authenticator, TOTP and Email-Code authenticatication methods that are already implemented and ready to be used, because they are so common.
There is actually the idea of splitting off the 2fa methods into seperate bundles (#154), so that scheb/two-factor-bundle only provides the generic interface. But this is not going to happen before the next major version.
Bundle version: scheb/two-factor-bundle (v4.12.0) Symfony version: 4.3.*
Description I readed all the documentation and configure options but I don't know how it really works. How it connect to a server? How to make the user force 2fa after logged in? Where are the forms? If i put on my server /2fa_login or /2fa_login_check it says 404 not found. If I put /2fa my server say: Access Denied. I have a working environment without 2fa and now I want to implement 2fa but I don't finish understanding how to achieve that. I don't found where to put a server address (ie: google server) to communicate with or something like that. If I am understanding it right.
To Reproduce If I am right the two factor authentication with QR code works as follows: 1- My web app (Symfony on this case) generates a QR code. 2- The user scans that QR code and open the address that it points to. 3- The user gets a simple temporal numeric code. 4- He/She put it on the edit box and confirms. 5- My web app must check that with the server to confirm it.
Additional Context
So, where is the place to put a server address on the bundle configuration? What kind of server and protocol must be that? Is it a standard one? Uses it simple HTTP GET or json? Are my steps correct? Am I understanding it right?
Sorry but I am searching on internet too without a good success. It appears that nobody want to explain it correctly. There are a lot of superficial explanations. Luckily I have the source code of this project so I can study it as a last resort.
Thank you