search

sinamics / ztnet

ZTNET - ZeroTier Web UI for Private Controllers with Multiuser and Organization Support.
https://ztnet.network
GNU General Public License v3.0
516 stars 53 forks source link

[Feature Request]: MFA possibility #456

Closed leyoda closed 1 month ago

leyoda commented 3 months ago

πŸš€ Feature Summary

2FA to ZTNET services

πŸ“ Detailed Description

Description for Adding 2FA to ZTNET

To enhance security for new clients joining a network, we propose implementing a two-factor authentication (2FA) process:

User Generation:
    When a client requests to join a network, ZTNET generates a unique user ID and temporary password.

OTP Code:
    The client receives a One-Time Password (OTP) via a secure channel (email, SMS, or authenticator app).

Login and Authentication:
    The client logs in using the generated user ID and temporary password.
    They enter the OTP to complete the authentication and join the network.

Password Update:
    After the first login, the client is prompted to change their password to a personal, secure one.

This process ensures that only authorized users can join the network, providing an additional layer of security with 2FA.

🎯 Use Case

Example of 2FA Implementation on ZTNET for User "wopr"

User Registration:
    The user "wopr" is registered in a specific organization on ZTNET.
    A unique user ID and temporary password are generated for "wopr".

QR Code for OTP:
    Upon registration, "wopr" receives a QR code via email.
    The QR code can be scanned using an authenticator app (e.g., Google Authenticator) to generate the OTP.

Login and MFA Page:
    Before joining the desired network, "wopr" must log in on the ZTNET MFA page.
    "wopr" uses the user ID and temporary password for the initial login.

Entering OTP:
    After logging in with the temporary credentials, "wopr" is prompted to enter the OTP generated by the authenticator app.
    Upon successful entry of the OTP, "wopr" is authenticated.

Network Access:
    Once authenticated via MFA, "wopr" is authorized to join the specified network.

Password Update:
    "wopr" is then prompted to update the temporary password to a secure, personal password.

This process ensures that "wopr" undergoes a secure MFA procedure before gaining access to the network, adding an extra layer of security by using a QR code for OTP generation.

πŸ’‘ Willing to Contribute

No, I can only suggest the feature but cannot help in development or testing

leyoda commented 3 months ago

Or perhaps simpler, the generated otp code is added to the id of the network on which to connect for validation.