zeruniverse / Password-Manager

An online keepass-like tool to manage password. client-side AES encryption!
Other
170 stars 44 forks source link

Feature proposal: email verification on new device #226

Closed zeruniverse closed 4 years ago

zeruniverse commented 6 years ago

In login page, there will be a hidden input box for email verification code. This will be visible after receiving login error msg from server.

When user logins, server first checks password hash & username combination. If it matches, server checks some cookie ‘K’ which should be unique given the password hash & username & randomseed saved at the server side (to prevent users generate ‘K’ themselves). If ‘K’ does not match, or ‘K’ does not exist, server returns an error and send an email to user’s email on profile. A session is set to be the sent verification code. Next time when user tries to login, if the verification code matches, server sets a cookie ‘K’ with 3 months validation. Otherwise, verification code is regenerated and resent to the maximum allowed times. All email sent and verification will be done after password hash check passed. Server only returns a same error msg for non-server-side login errors. So without the mailbox access, the person doesn’t know if password is wrong or email verification code is wrong.

This machinism will further prevent brute force hack for simple login password. For email service, ‘sendgrid’ is a good choice. They provide 100 emails daily for free forever. https://sendgrid.com/pricing/

This is an optional feature that can be turned on at config.php. If turned on, user should provide sendgrid api key.

zeruniverse commented 6 years ago

Random seed will be updated on password update. And we should also allow users to change their email address because it’s now useful. We need to verify their email addresses (using verification code) before updating on database since users will not be able to login if they don’t input a correct email address.

Pofilo commented 6 years ago

We need to verify their email addresses (using verification code) before updating on database since users will not be able to login if they don’t input a correct email address.

This is mandatory yes ! And you should add a way for the user to change his email. Funny thing, on my own instance, I implemented this last week ^^

See the 3 commits linked to this issue (in my case, I was planning to also add some other parameters, that's why I called the tab Parameters): https://git.pofilo.fr/pofilo/pmanager/issues/15

We won't be able to cherry pick as I don't have all the huge refactor of @BenjaminHae. However, I'm able to make a similar PR to allow users to change their email here.

Your feature is a great idea, it add an additional verification and is not painful for the user (every 3 months as for PINs). In addition of that (other PR), we could also had a honeypot to prevents robot trying to connect.

zeruniverse commented 6 years ago

@Pofilo For preventing robot, we can simply add a verification code. It’s some numbers in an image that’s hard to read for computers (as long as the robot is not good at computer vision).

But I’m not convinced it’s necessary as we already implemented IP and user blocks for multiple login errors

BenjaminHae commented 6 years ago

This sounds like a perfect use case for jwt (https://jwt.io/).

I'm currently in the beginning phase of developing an android and ios app. For authentication of this app against the webservice I'd like to use jwts for autologin (after authentication using fingerprint or something similar). Maybe we could now create a plugin architecture for the backend as well. That way your proposal could be an extension that someone who deploys this manager can easily disable.

BenjaminHae commented 6 years ago

For email service, ‘sendgrid’ is a good choice. They provide 100 emails daily for free forever. https://sendgrid.com/pricing/

I suggest implementing it in a generic way. I have my own mailserver, so using an external service is not necessary and adds another point of failure.

zeruniverse commented 6 years ago

I think for most users, deploying a mailserver is not that easy.

Another issue is that most IP ranges of popular VPS providers have once been abused to spam so the verification emails are likely to be put in spam folders by email providers.

On Sat, Oct 13, 2018 at 2:08 PM Benjamin Häublein notifications@github.com wrote:

For email service, ‘sendgrid’ is a good choice. They provide 100 emails daily for free forever. https://sendgrid.com/pricing/

I suggest implementing it in a generic way. I have my own mailserver, so using an external service is not necessary and adds another point of failure.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zeruniverse/Password-Manager/issues/226#issuecomment-429563083, or mute the thread https://github.com/notifications/unsubscribe-auth/AEbvNJNpfD_axxSwKZl_zuV_HzajAnQZks5ukiwxgaJpZM4XavYA .

zeruniverse commented 6 years ago

But I agree this can be a separate php file so whoever wants something else can DIY themselves

On Sat, Oct 13, 2018 at 2:14 PM Jeffery ZHAO zzy8200@gmail.com wrote:

I think for most users, deploying a mailserver is not that easy.

Another issue is that most IP ranges of popular VPS providers have once been abused to spam so the verification emails are likely to be put in spam folders by email providers.

On Sat, Oct 13, 2018 at 2:08 PM Benjamin Häublein < notifications@github.com> wrote:

For email service, ‘sendgrid’ is a good choice. They provide 100 emails daily for free forever. https://sendgrid.com/pricing/

I suggest implementing it in a generic way. I have my own mailserver, so using an external service is not necessary and adds another point of failure.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zeruniverse/Password-Manager/issues/226#issuecomment-429563083, or mute the thread https://github.com/notifications/unsubscribe-auth/AEbvNJNpfD_axxSwKZl_zuV_HzajAnQZks5ukiwxgaJpZM4XavYA .

Pofilo commented 6 years ago

@BenjaminHae why creating application ? Aren't webapp enough ? Or maybe is it to automatically add passwords in fields ?

BenjaminHae commented 6 years ago

Signing in to the web app is a pain when you need to enter a strong password. So I'm going to implement authentication using biometrics. Inserting passwords using the clipboard is a bad idea as every app can read it. So I'm going to use the autofill framework on android(on ios I don't know yet).

Pofilo commented 6 years ago

Okay for the biometric, but there is the PIN which is easy to use ! But the autofill framework would be very interesting !

BenjaminHae commented 6 years ago

I've implemented a rough draft of this over at my fork. The basic procedure stands. There's a lot to be done:

It does not need any changes to existing instances! So you can use existing test accounts/databases.

When loggin in you will get "plugin error". Look in the php error log. There you should find the link to finish the login. But do not close the browser window between entering the credentials and "clicking" the email link.

It's based on JSON Web Tokens which allow stateless authentication (so no new database tables are needed).

zeruniverse commented 5 years ago

is this feature done or need some additional work? i currently have some time to look into it.

BenjaminHae commented 5 years ago

There's still a lot to do. I'd like to refactor the backend beforehand as I've run into some difficulties with the current implementation of sessions.

You could implement the plugin for sending mails. Starting with this dummy plugin: https://github.com/BenjaminHae/Password-Manager/blob/secondFactorPlugin/src/function/plugins/dummyMail.php