Feature proposal: email verification on new device

[zeruniverse]

In login page, there will be a hidden input box for email verification code. This will be visible after receiving login error msg from server.

When user logins, server first checks password hash & username combination. If it matches, server checks some cookie ‘K’ which should be unique given the password hash & username & randomseed saved at the server side (to prevent users generate ‘K’ themselves). If ‘K’ does not match, or ‘K’ does not exist, server returns an error and send an email to user’s email on profile. A session is set to be the sent verification code. Next time when user tries to login, if the verification code matches, server sets a cookie ‘K’ with 3 months validation. Otherwise, verification code is regenerated and resent to the maximum allowed times. All email sent and verification will be done after password hash check passed. Server only returns a same error msg for non-server-side login errors. So without the mailbox access, the person doesn’t know if password is wrong or email verification code is wrong.

This machinism will further prevent brute force hack for simple login password. For email service, ‘sendgrid’ is a good choice. They provide 100 emails daily for free forever. https://sendgrid.com/pricing/

This is an optional feature that can be turned on at config.php. If turned on, user should provide sendgrid api key.

[zeruniverse]

Random seed will be updated on password update. And we should also allow users to change their email address because it’s now useful. We need to verify their email addresses (using verification code) before updating on database since users will not be able to login if they don’t input a correct email address.

[Pofilo]

We need to verify their email addresses (using verification code) before updating on database since users will not be able to login if they don’t input a correct email address.

This is mandatory yes ! And you should add a way for the user to change his email. Funny thing, on my own instance, I implemented this last week ^^

See the 3 commits linked to this issue (in my case, I was planning to also add some other parameters, that's why I called the tab Parameters): https://git.pofilo.fr/pofilo/pmanager/issues/15

We won't be able to cherry pick as I don't have all the huge refactor of @BenjaminHae. However, I'm able to make a similar PR to allow users to change their email here.

Your feature is a great idea, it add an additional verification and is not painful for the user (every 3 months as for PINs). In addition of that (other PR), we could also had a honeypot to prevents robot trying to connect.

[zeruniverse]

@Pofilo For preventing robot, we can simply add a verification code. It’s some numbers in an image that’s hard to read for computers (as long as the robot is not good at computer vision).

But I’m not convinced it’s necessary as we already implemented IP and user blocks for multiple login errors

[BenjaminHae]

This sounds like a perfect use case for jwt (https://jwt.io/).

I'm currently in the beginning phase of developing an android and ios app. For authentication of this app against the webservice I'd like to use jwts for autologin (after authentication using fingerprint or something similar). Maybe we could now create a plugin architecture for the backend as well. That way your proposal could be an extension that someone who deploys this manager can easily disable.

[BenjaminHae]

For email service, ‘sendgrid’ is a good choice. They provide 100 emails daily for free forever. https://sendgrid.com/pricing/

I suggest implementing it in a generic way. I have my own mailserver, so using an external service is not necessary and adds another point of failure.

[zeruniverse]

I think for most users, deploying a mailserver is not that easy.

Another issue is that most IP ranges of popular VPS providers have once been abused to spam so the verification emails are likely to be put in spam folders by email providers.

On Sat, Oct 13, 2018 at 2:08 PM Benjamin Häublein notifications@github.com wrote:

For email service, ‘sendgrid’ is a good choice. They provide 100 emails daily for free forever. https://sendgrid.com/pricing/

I suggest implementing it in a generic way. I have my own mailserver, so using an external service is not necessary and adds another point of failure.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zeruniverse/Password-Manager/issues/226#issuecomment-429563083, or mute the thread https://github.com/notifications/unsubscribe-auth/AEbvNJNpfD_axxSwKZl_zuV_HzajAnQZks5ukiwxgaJpZM4XavYA .

[zeruniverse]

But I agree this can be a separate php file so whoever wants something else can DIY themselves

On Sat, Oct 13, 2018 at 2:14 PM Jeffery ZHAO zzy8200@gmail.com wrote:

I think for most users, deploying a mailserver is not that easy.

Another issue is that most IP ranges of popular VPS providers have once been abused to spam so the verification emails are likely to be put in spam folders by email providers.

On Sat, Oct 13, 2018 at 2:08 PM Benjamin Häublein < notifications@github.com> wrote:

For email service, ‘sendgrid’ is a good choice. They provide 100 emails daily for free forever. https://sendgrid.com/pricing/

I suggest implementing it in a generic way. I have my own mailserver, so using an external service is not necessary and adds another point of failure.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zeruniverse/Password-Manager/issues/226#issuecomment-429563083, or mute the thread https://github.com/notifications/unsubscribe-auth/AEbvNJNpfD_axxSwKZl_zuV_HzajAnQZks5ukiwxgaJpZM4XavYA .

[Pofilo]

@BenjaminHae why creating application ? Aren't webapp enough ? Or maybe is it to automatically add passwords in fields ?

[BenjaminHae]

Signing in to the web app is a pain when you need to enter a strong password. So I'm going to implement authentication using biometrics. Inserting passwords using the clipboard is a bad idea as every app can read it. So I'm going to use the autofill framework on android(on ios I don't know yet).

[Pofilo]

Okay for the biometric, but there is the PIN which is easy to use ! But the autofill framework would be very interesting !

[BenjaminHae]

I've implemented a rough draft of this over at my fork. The basic procedure stands. There's a lot to be done:

• no need for the second factor after the first successful login (simple, I just need to set the cookie)
• UI-Experience (useful message after first entering of credentials: Wait for mail)
• Security testing
• Refactoring so that the second factor does not have to be a mail (but could be a 2fa generator app)
• Verify that the email address exists when registering
• Activate this requirement on a per user basis
• allow closing of browser-window before link-clicking

It does not need any changes to existing instances! So you can use existing test accounts/databases.

When loggin in you will get "plugin error". Look in the php error log. There you should find the link to finish the login. But do not close the browser window between entering the credentials and "clicking" the email link.

It's based on JSON Web Tokens which allow stateless authentication (so no new database tables are needed).

[zeruniverse]

is this feature done or need some additional work? i currently have some time to look into it.

[BenjaminHae]

There's still a lot to do. I'd like to refactor the backend beforehand as I've run into some difficulties with the current implementation of sessions.

You could implement the plugin for sending mails. Starting with this dummy plugin: https://github.com/BenjaminHae/Password-Manager/blob/secondFactorPlugin/src/function/plugins/dummyMail.php