Two factor auth

[tim-pearce]

I currently run my Jethro on an internal network only. I am reluctant to run it on a public site as people can use, what I would consider, weak passwords. I use Keepass so am able to have very strong passwords but others don't.

To mitigate the risks I would like there to be TFA (Two Factor Authentication) available. Two ways to do this are to use SMS or OTP.

SMS does not require any special software for the user but means you need to pay for the SMS's you send.

OTP (One Time Password) does require an app or program but there are a number of them available for free. There is no cost as you don't need to send anything. I came across OTP in Wordpress recently.

[jefft]

On this topic, I'd love to experiment with completely outsourcing authentication, e.g. to KeyCloak (or Ory, Authelia etc). This could be done at the webserver layer, e.g. Apache running mod_auth_oidc. The flow would be:

• Unauthenticated user visits Jethro.
• The webserver notices they are not logged in, and redirects to Keycloak
• User authenticates using 2FA-protected password, or via GMail/Facebook/Github OAuth, or however Keycloak is configured.
• Keycloak redirects the user to Jethro's webserver, along with an authorisation code.
• Webserver verifies the auth code and passes the username to Jethro PHP via a HTTP header.

The only Jethro modification needed is an "outsource authentication" mode, where a trusted HTTP request header sets the username.

[tim-pearce]

I read the KeyCload and other links. Struggling to see 2FA there! Certainly 2FA is what I want. I won't use social logins.

[jefft]

See this section in Keycloak docs on 2FA.

Keycloak is self-hosted. A quick way to add a layer of protection is to put Jethro behind Cloudflare Zero Trust proxy. This forces login through some sort of identity provider before the user even gets to the Jethro login. It's free for up to 50 users.

[s4069b]

I have also been thinking it would be good to have 2FA. At the risk of showing my ignorance - is an email code as safe as sms?

[jefft]

I have also been thinking it would be good to have 2FA. At the risk of showing my ignorance - is an email code as safe as sms?

Are you referring to Cloudflare's "One-time pin" option, which sends a code by email instead of SMS?

If so - it establishes that the person logging in has actual control over the email address, which is a authentication "second factor" (knowing the password is the first factor). So it's 2FA, just a different F to a SMS code.

[s4069b]

I was referring to the original post and asking why not email: To mitigate the risks I would like there to be TFA (Two Factor Authentication) available. Two ways to do this are to use SMS or OTP.

[tbar0970]

is an email code as safe as sms?

That's an interesting question, since emails are cheaper to send.

Good answers here: https://www.twilio.com/blog/email-2fa-tradeoffs

It's noteworthy that in Jethro, your username is not generally the same as your email address, and Jethro doesn't support email-based password resets (for the control centre), so this eliminates some of the downsides of email 2FA.

[tim-pearce]

I think email is fine for initial verification but would be a pain for regular login as sometimes emails may take quite a while to arrive.

I am thinking along the lines of registering a browser and using a cookie. Can't find anything on the internet that does this yet. It would work like this:- For every user there is a table containing browser signature and a key value. User logs in on a browser with no entry in the table Generate a random key, put it in the table and email it to the user Prompt on screen for user to enter the key User enters the key on the screen and it is saved as a cookie If there is an entry for the browser If the cookie matches the value in the table continue as logged in else send a notification email lock the user out of that browser for a period of time

Any thoughts? Is there a flaw in this logic? Much more convenient.

I think Google may use something like this at least part of the time (seems really inconsistent). I've had problems logging into the church youtube account from a different computer at times (and I don't have the phone used for verification!)

[tbar0970]

Long-lived cookie like this is not a bad idea. Various sites use it. But unlike SMS auth it doesn't protect against the left-my-computer-unlocked-on-the-train scenario.

[tim-pearce]

In that scenario you contact your administrator to lock the device out of the system.

[tbar0970]

Sure, although that will take some time. And if you've saved the password in your browser and the person who picks up your device has access to your email they can generate a new long-term cookie. And maybe you don't realise what's happened until the next day anyway.

The bigger point is that genuine 2FA does provide extra protection, that's why people use it as well as long-term cookies.

This is the point at which @jefft chimes in to point out that auth providers like google provide all this stuff out of the box :)

[tim-pearce]

I don't let my browser remember passwords - but that's me!

[s4069b]

I had a play with Cloudflare zero Trust with a policy that includes country = Australia and requires emails ending in @my.domain and negotiates with a one-time-pin I reckon that's pretty good for the time being.

As far as building something into Jethro. Now that I've had a bit of a play around I'd say a choice of sms or email (or no 2fa) are enough options.

If you have an email account that is slow receiving one-time-codes then you could pray for hackers while you are waiting - pray they would see the error of their ways :) Or use the time to build a faster email server (eg hestiacp with amazonses SMTP relay for all outgoing emails)