2FA: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 5: | Line 5: | ||
For more information on 2FA, see [[wikipedia:Multi-factor_authentication]] | For more information on 2FA, see [[wikipedia:Multi-factor_authentication]] | ||
=Why= | |||
Adding "something you know" to the typical username/password crednetials is important in case: | |||
# A user's password is stolen (ie: phishing, not using a unique, site-specific password) | |||
# A user's password is insecure (ie: set to 'password' or otherwise trivial to brute-force) | |||
=TOTP= | |||
The best "something you have" authentication factor is TOTP. The benefits are: | |||
# Does not require a communication channel between the device holding the private key & the server you're authenticating other than the initial sharing of the private key. (This eliminates the risk of someone intercepting the token. 2FA systems that send tokens to users in plaintext [ie: sms messages, emails, etc] should be entirely untrusted). | |||
# Well-defined standard that's implemented in many FLOSS apps on many devices | |||
==FLOSS apps for TOTP== | |||
# [https://f-droid.org/packages/org.shadowice.flocke.andotp andOTP] | |||
# [https://f-droid.org/packages/org.fedorahosted.freeotp FreeOTP] | |||
=List of OSE Services that use 2FA= | |||
# [[Wordpress]] | |||
=FAQ= | |||
==What if I loose the device holding my TOTP private keys?== | |||
Great question! If you loose your phone, you will not be able to login unless: | |||
# You restore your replacement phone's TOTP app with a backup that you made or | |||
# Another admin on the site that hasn't lost thir phone logs in & edits your wp user account--unchecking the "enabled" box that you checked, so you can log back in without a 2FA token. Then you can generate a new token & scan it into your new phone as you just did. | |||
# Or if all admins loose their phones at the same time (or there is only 1 admin account and it's you), someone can ssh into the server & either use the wp-cli or manually delete the 'google-authenticator' plugin directory from the wordpress plugins folder (for obi it's /var/www/html/openbuildinginstitute.org/htdocs/wp-content/plugins/google-authenticator). Log in, then re-install it. | |||
There are at least 3 ways you can backup FreeOTP: | |||
# The QR code you scanned is your private key. You could take a screenshot of this QR code, print a copy of it, and keep it locked in a safe. If you loose your phone, you can simply rescan your QR codes with your new phone. If you do this, be sure to shred (not just delete) the screenshot from your computer after you print it. | |||
# Use the ADB = Android DeBugger CLI tool in linux to create a backup. This doesn't work for all apps, but it's been documented to work for FreeOTP at least. | |||
adb backup -all -apk -f backup.ab # backup all apps | |||
adb backup -f backup.ab org.fedorahosted.freeotp # backup just freeotp | |||
# Use the "Titanium Backup" app. This free, but not FLOSS. | |||
Of course, your backups should be encrypted. If you don't know how to make secure backups, it's probably best that you just make sure that your website has multiple users (with distinct phones running a TOTP app) set as admins. | |||
Revision as of 19:02, 3 October 2017
2FA = Two Factor. At OSE, whenever possible, we use the following 2 factors for public-facing authentication:
- Something you know (username/password)
- Something you have (TOTP token)
For more information on 2FA, see wikipedia:Multi-factor_authentication
Why
Adding "something you know" to the typical username/password crednetials is important in case:
- A user's password is stolen (ie: phishing, not using a unique, site-specific password)
- A user's password is insecure (ie: set to 'password' or otherwise trivial to brute-force)
TOTP
The best "something you have" authentication factor is TOTP. The benefits are:
- Does not require a communication channel between the device holding the private key & the server you're authenticating other than the initial sharing of the private key. (This eliminates the risk of someone intercepting the token. 2FA systems that send tokens to users in plaintext [ie: sms messages, emails, etc] should be entirely untrusted).
- Well-defined standard that's implemented in many FLOSS apps on many devices
FLOSS apps for TOTP
List of OSE Services that use 2FA
FAQ
What if I loose the device holding my TOTP private keys?
Great question! If you loose your phone, you will not be able to login unless:
- You restore your replacement phone's TOTP app with a backup that you made or
- Another admin on the site that hasn't lost thir phone logs in & edits your wp user account--unchecking the "enabled" box that you checked, so you can log back in without a 2FA token. Then you can generate a new token & scan it into your new phone as you just did.
- Or if all admins loose their phones at the same time (or there is only 1 admin account and it's you), someone can ssh into the server & either use the wp-cli or manually delete the 'google-authenticator' plugin directory from the wordpress plugins folder (for obi it's /var/www/html/openbuildinginstitute.org/htdocs/wp-content/plugins/google-authenticator). Log in, then re-install it.
There are at least 3 ways you can backup FreeOTP:
- The QR code you scanned is your private key. You could take a screenshot of this QR code, print a copy of it, and keep it locked in a safe. If you loose your phone, you can simply rescan your QR codes with your new phone. If you do this, be sure to shred (not just delete) the screenshot from your computer after you print it.
- Use the ADB = Android DeBugger CLI tool in linux to create a backup. This doesn't work for all apps, but it's been documented to work for FreeOTP at least.
adb backup -all -apk -f backup.ab # backup all apps
adb backup -f backup.ab org.fedorahosted.freeotp # backup just freeotp
- Use the "Titanium Backup" app. This free, but not FLOSS.
Of course, your backups should be encrypted. If you don't know how to make secure backups, it's probably best that you just make sure that your website has multiple users (with distinct phones running a TOTP app) set as admins.