Enable OTP 2FA #3798
Enable OTP 2FA #3798
Conversation
There was a problem hiding this comment.
Nice 👍
However I have two notes:
- We must provide backup codes for when the device is lost or unavailable, see https://github.com/scheb/two-factor-bundle/blob/master/Resources/doc/backup_codes.md
- We should limit our use of the term 'Google Authenticator' as it could be misleading. This authenticator uses a standard OTP mechanism afaik, the documentation and help lines should talk about other authenticator apps like Duo mobile and FreeOTP too
There was a problem hiding this comment.
Agreed with @Kdecherf and these two extra remarks:
- Put the QR code more upfront (people should use it more than the text code)
- From an UX PoV most services which offer 2FA will ask you to confirm 2FA is working with a code generated by the 2FA app, is this doable here ?
|
This is probably a dumb question, but will this interfere with existing app integrations (e.g., Android) if we upgrade to get this functionality and turn it on? |
|
@virtadpt It will indeed. |
|
@virtadpt the email 2fa is already available. You can give a try. |
|
@Kdecherf done I have question regarding the OTP secret & backup codes: should the administrator be able to view them? Like: |
|
@j0k3r imo administrators must not see secret keys and backup codes. Also, backup codes must not be saved somewhere: they are shown only once. Here is a side-note on the text of checkbox for OTP: we should avoid "Google" as well here. |
|
Backup codes are saved in the database, so we can check if the given code is valid (and then remove it from the backup codes). |
|
Oh, well, I saw it differently in my mind :D You're right. |
Is there any reason why we don't hash them inside database ? |
|
@tcitworld None. We can hash backup code. |
|
Just popping in to ask about the status on this. Would love to see this merged 😊 |
|
I need to get back on this to:
|
j0k3r
force-pushed
the
update-two-factor-bundle
branch
from
b276da4 to
111fd61
Compare
|
Rebased against the updated 2.4 branch. |
j0k3r
force-pushed
the
update-two-factor-bundle
branch
from
111fd61 to
0ad4436
Compare
|
I've updated how it works now. Just one thing left: hashing backup codes. |
|
Regarding my last comment I'm wondering if we really should hash backup code in the database? 🤔 |
My opinion would be to check how popular libraries / softs handle this. |
|
GitHub allow you to view your backup codes. So I guess they didn't hash them. |
|
I have at least two services (Ubisoft and I think Microsoft) telling me when activating otp "this is your code and don't lose them". So they probably hash them. |
There was a problem hiding this comment.
It seems quite easy to me to have backups codes hashed, so I'd still vote for this before merging it.
The whole point of having backup codes is not being able to see them again once connected, so that if someone gets access to your session on a computer you just left, he's not able to get access to them.
- Update SchebTwoFactorBundle to version 3
- Enable Google 2fa on the bundle
- Disallow ability to use both email and google as 2fa
- Update Ocramius Proxy Manager to handle typed function & attributes (from PHP 7)
- use `$this->addFlash` shortcut instead of `$this->get('session')->getFlashBag()->add`
- update admin to be able to create/reset the 2fa
Replace “Google Authenticator” by “Google Authenticator, Authy or FreeOTP” in all text. Translate how to use the code / qr code.
Also remove the forced `server_version` from dbal config to avoid an hard overriding across all database.
And add a step to validate a generated code from the OTP app
j0k3r
force-pushed
the
update-two-factor-bundle
branch
from
38b14fc to
c416ed4
Compare
|
Rebased because of conflicts. |
I didn't think about that vector, you make a point. |
|
I'll review and test the workflow tomorrow |
Fixes #2822
Moved stuff from the "reset area" to a dedicated tab. Might be better.
Enable OTP 2FA:
$this->addFlashshortcut instead of$this->get('session')->getFlashBag()->addHere is a gif when enabling OTP app: