Feature Request: 2FA for logins

[NeilAtw]

I have read the previous thread about this, but wanted to suggest that 2FA using a tool like Google Authenticator seems like a better and more secure solution than SMS or even email. Thoughts?

[tbar0970]

More secure, yes. Less convenient and more work to implement. The usual security tradeoff!

[NeilAtw]

I certainly get that Tom - but is any 2FA on the roadmap for Jethro?

[jefft]

Previous thread: #858

TOTP (Authy, Google Authenticator) is more secure than SMS, and probably easier to implement, but requires users to install an app.

The new state of the art is WebAuthn / Passkeys, with GMail support announced by google and recently enabled for Google Workspace. The whole idea of logging in with a username and per-app password is becoming obsolete. Hence my 2c on #858, that it would be best to outsource auth completely, to an app like Keycloak that does 2FA, passkeys or whatever the latest hotness is.

[tbar0970]

but is any 2FA on the roadmap for Jethro?

It's certainly under discussion, as Jeff notes above!

@NeilAtw, in your context would Google Authenticator be preferable to SMS 2FA? Would syndicated auth from google etc be workable?

[tbar0970]

Using Google authenticator and TOPT apps are bit more dev work than SMS 2FA because there needs to be a mechanism for setting up the shared key. Whereas SMS just uses the mobile number which is data Jethro already possesses.

[NeilAtw]

Thanks Tom (and others). I personally would be happy to see even SMS based 2FA. While I am aware of the potential to hijack SMS contents, in the context that Jethro is used in I think the risk is manageable, and the payoff should be seen as a significant positive.. :)

[tim-pearce]

Ok, I think I am ready to try implementing 2FA using SMS/email/list depending on what the user has available or chooses.

SMS: The usual send OTP to the users mobile number email: Send it to the users email address list: For those who don't have SMS or email we print a list of codes and they are asked to enter one of those (eg enter the 85th code on the sheet). Will leave this option to the last.

I'll base the SMS and email functions based on the code in date_reminder.php Using https://phppot.com/php/how-to-implement-otp-sms-mobile-verification-in-php-with-textlocal/ as a basis for the OTP coding.

Option to be enabled by the presence of constants in config.php. ie if the constants are not there nothing will change in the login process.

[s4069b]

Nice! Thanks for putting in the work.

[tim-pearce]

Fraid I haven't started this yet. I will ping Tom when I do get to it in case he is working on it.

I am thinking 2FA may not be required for member logins. Just staff logins. That could be parameterised in configurations.

[NeilAtw]

Hi Tim, Tom. Thanks for the update. Just for consideration, our use case for Jethro (The office of the Director of Safe Ministry) means that we would like 2FA for member login if possible. We have around 120 churches (not individuals) keeping data in Jethro for their congregations, and the one or two authorised people in each church are the only church members who have a log in. They are the ones we would like to have 2FA for.

Cheers

--

Neil Atwood JP

+61414 777 841 Interested in a Tesla? Use my referral code to benefit us both: https://ts.la/neil886217 Photography https://atwood.id.au/

From: Tim Pearce @.> Sent: Thursday, September 7, 2023 1:08 PM To: tbar0970/jethro-pmm @.> Cc: NeilAtw @.>; Mention @.> Subject: Re: [tbar0970/jethro-pmm] Feature Request: 2FA for logins (Issue #925)

Fraid I haven't started this yet. I will ping Tom when I do get to it in case he is working on it.

I am thinking 2FA may not be required for member logins. Just staff logins. That could be parameterised in configurations.

— Reply to this email directly, view it on GitHub https://github.com/tbar0970/jethro-pmm/issues/925#issuecomment-1709410623 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUOVFDYXB4R4K63J63TZSDXZE3B5ANCNFSM6AAAAAAZU37YOA . You are receiving this because you were mentioned. https://github.com/notifications/beacon/ACUOVFEOFHCGYQBCHHSIXOTXZE3B5A5CNFSM6AAAAAAZU37YOCWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTF4OET6.gif Message ID: @. @.> >

[tim-pearce]

Neil, That would be just fine in my proposal. The parameters would be something like 2FA_MEMBERS = true/false 2FA_STAFF = true/false - so entirely up to you. I might also add a test to see if they are within the office if the site is hosted within the office and turn 2FA off in that case.

[NeilAtw]

That would be great Tim, thanks. 😊

--

Neil Atwood JP

+61414 777 841 Interested in a Tesla? Use my referral code to benefit us both: https://ts.la/neil886217 Photography https://atwood.id.au/

From: Tim Pearce @.> Sent: Thursday, September 7, 2023 4:33 PM To: tbar0970/jethro-pmm @.> Cc: NeilAtw @.>; Mention @.> Subject: Re: [tbar0970/jethro-pmm] Feature Request: 2FA for logins (Issue #925)

Neil, That would be just fine in my proposal. The parameters would be something like 2FA_MEMBERS = true/false 2FA_STAFF = true/false - so entirely up to you. I might also add a test to see if they are within the office if the site is hosted within the office and turn 2FA off in that case.

— Reply to this email directly, view it on GitHub https://github.com/tbar0970/jethro-pmm/issues/925#issuecomment-1709554984 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUOVFBIEWWJCHMUEMD2GALXZFTDPANCNFSM6AAAAAAZU37YOA . You are receiving this because you were mentioned. https://github.com/notifications/beacon/ACUOVFESQM54EZVBEVYKMW3XZFTDPA5CNFSM6AAAAAAZU37YOCWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTF4W6SQ.gif Message ID: @. @.> >

[tbar0970]

I've started work on this.

[tim-pearce]

Thanks for that. I shouldn't promise to do things during school terms! I was going to add some suggestions but I see I already did so on September 7! School term ends soon. If you want any help or 'crash testing' let me know.

[tbar0970]

Complete