Add 2-factor-auth support to admin login

[drbyte]

Architectural changes are needed to improve the 2-factor-auth capability of the Admin.

• [x] Admin users' phone number is already in v160 admin
• [ ] Generate QR code* and store its key after confirming it with the user

• [ ] Prompt for entry of code upon login and validate it

  * The QR code generation and validation of entered "code" could be implemented by integration with a 3rd-party service like Authy, Duo, YubiKey instead of writing all the code bespoke. Some PHP packages already exist, as do SDKs from some of these vendors.

Per PA-DSS 3.1 Specification 10.1 and PCI DSS 3.1 Specification 8.3

[bislewl]

What are your thoughts on how this would be done?

[drbyte]

Ideally it should hook into existing (or maybe additional) notifier hooks.

But some UI changes will be needed to throw up the necessary input box for the 2FA token to be entered.

Ideally it should be provider-agnostic, so that services such as Authy and Duo-Mobile and maybe even Google Authenticator can be used. (The latter is only available as a SmartPhone App, but the others can also send SMS messages, if an appropriate service is purchased.) Optionally perhaps YubiKey.

I think it will also require a bit of changing the logic for how existing login happens.

This issue also has relationship to #571

[bislewl]

Google Authenticator has desktop solutions including an extension for chrome and there is a github repo for someone who has done most of the work. https://github.com/PHPGangsta/GoogleAuthenticator.

I like your Idea of notifier hooks, as it is extendable. Not to make it overly complicated for the shop owners but they could add 2-factor authentication to other actions they choose, perhaps: They wish to require it for things like adding/removing/modifying admin users, deleting customers, or even plugins could add that requirement. That would be in ADDITION to the required items mentioned in #571

[drbyte]

Not to make it overly complicated for the shop owners but they could add 2-factor authentication to other actions they choose, perhaps: They wish to require it for things like adding/removing/modifying admin users, deleting customers, or even plugins could add that requirement. That would be in ADDITION to the required items mentioned in #571

It does run the risk of making things overly complicated. I think that the implementation should make it possible for it to be triggered for those, but not impose it. I imagine most would say that putting 2FA on anything more than login causes unnecessary inconvenience when a password will do (since the 2FA was already done in order to get to the screen where those other actions are triggered). There will be those who think it should be applied everywhere, but even banks who use 2FA only require it at login ... and even github and dropbox and google only require it at login and just a password everywhere else.

[bislewl]

I agree, require it just at login. And then offer others via notifier hooks to shop owners? Couldn't we use something like: $_SESSION['navigation']->set_snapshot(); so we can redirect them to the correct page after authentication. Versus the current $_GET['camefrom']?

[drbyte]

Ya, Notifier hooks may be a good way to open room for other places.

Eeks. I hate that navigation class. Perhaps more than just camefrom may be necessary. But without a modernization of the nav class I shudder at adding it to the admin too.

[drbyte]

Related reading: https://m.joind.in/event/phpnw15/secure-your-web-application-with-two-factor-authentication

[drbyte]

And then there's the 2FA FIDO standard that Github and other big players (Google, Yubico, Dropbox, etc) are now supporting too: https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication https://www.yubico.com/applications/fido/

[jsteggy]

Hi, two factor would be awesome. In addition to the FIDO "standard", I'd like to see the Secure Quick Reliable Login ( SQRL ) https://www.grc.com/sqrl/sqrl.htm implemented. The url gives a lot more info if you're curiou, also no hardware key required. :) and there are already lots of repos on github for SQRL.

[bislewl]

Was just thinking one thing that should require 2-factor-auth is turning off "send emails".