Two Factor Authentication on Gitea

[gencer]

I couldn't find this request here so i made one.

As you might know, we deploy our secrets (means sources) in gitea/gogs. It will be super-awesome to get Two Factor Authentication besides normal password. There are plenty of implementation for 2FA and I am pretty sure Go has some kind of library out there (didn't looked up yet).

Possibly storing 2FA secret on a disk and an encrypted data on database will make it more secure. Perhaps secret in app.ini.

Can we at least make it happen in v1.0.0.

Personally, I am gonna feel more secure when 2FA is enabled.

[metalmatze]

Yesterday I thought about exactly this feature. I really want that too and would like to contribute to this as well. Has anyone tried any lib for 2fa in Go?

[thibaultmeyer]

It would be nice if U2F - FIDO Universal 2nd Factor Authentication will be implemented too. It allow usage of USB key rather than SMS / Mail. A GO library exists : https://developers.yubico.com/U2F/Libraries/List_of_libraries.html

[gencer]

@0xBAADF00D this can be useful, yes, but, many people use a traditional way for 2FA -including me-. So at least for starting, we should have 2FA enabled. If we make generalize, im pretty sure that 2FA users are most.

Correct me If I am wrong.

[thibaultmeyer]

@gencer U2F FIDO is 2FA too, but it allow usage of an cryptographic USB Key. By exemple Github propose U2F FIDO or Token generated via "Authenticator" mobile app.

You can read more at https://help.github.com/articles/configuring-two-factor-authentication-via-fido-u2f/

We have just to keep in mind to get something modular with the possibility to add new 2FA methods in future

[tboerger]

But this won't get into 1.0.0 as this is a release that will be done pretty soon. Maybe we can integrate it for 1.1.0 or 1.2.0.

[lunny]

Yes, this should be enabled on admin panel. It should not be a default setting.

[strk]

Agreed this cannot be in 1.0.0. Open for 1.1+, as soon as a PR is ready :)

[stevenroose]

Might go good with #183

[mmoya]

FTR, a proof of concept for gogs/gogs#945 was posted to minecrafter/gogs@5cd2997.

[lunny]

@mmoya, Could you send a PR to Gitea?

[gencer]

@lunny as soon as PR accepted, I will try on brand new server with fresh config for better result and for one to the existing installation to see how its going on. I am preparing a new test server until PR accepted. (Otherwise, I will try target PR source myself)