2FA

From Open Source Ecology
Revision as of 01:41, 12 January 2018 by Maltfield (talk | contribs)
Jump to navigation Jump to search

2FA = Two Factor Authentication. At OSE, whenever possible, we use the following 2 factors for public-facing authentication:

  1. Something you know (username/password)
  2. Something you have (TOTP token)

For more information on 2FA, see wikipedia:Multi-factor_authentication

Why

Adding "something you have" to the typical username/password credentials is important in case:

  1. A user's password is stolen (ie: phishing, not using a unique, site-specific password)
  2. A user's password is insecure (ie: set to 'password' or otherwise trivial to brute-force)

TOTP

The best "something you have" authentication factor is TOTP. The benefits are:

  1. Does not require a communication channel between the device holding the private key & the server you're authenticating other than the initial sharing of the private key. (This eliminates the risk of someone intercepting the token. 2FA systems that send tokens to users in plaintext [ie: sms messages, emails, etc] should be entirely untrusted).
  2. Well-defined standard that's implemented in many FLOSS apps on many devices

For more information about TOTP, see wikipedia:Time-based_One-time_Password_Algorithm

FLOSS apps for TOTP

  1. andOTP
  2. FreeOTP

List of OSE Services that use 2FA

  1. Wordpress

FAQ

What if I loose the device holding my TOTP private keys?

Great question! If you loose your phone, you will not be able to login unless:

  1. You restore your replacement phone's TOTP app with a backup that you made or
  2. Another admin on the site that hasn't lost thir phone logs in & edits your wp user account--unchecking the "enabled" box that you checked, so you can log back in without a 2FA token. Then you can generate a new token & scan it into your new phone as you just did.
  3. Or if all admins loose their phones at the same time (or there is only 1 admin account and it's you), someone can ssh into the server & either use the wp-cli or manually delete the 'google-authenticator' plugin directory from the wordpress plugins folder (for obi it's /var/www/html/openbuildinginstitute.org/htdocs/wp-content/plugins/google-authenticator). Log in, then re-install it.

There are at least 3 ways you can backup FreeOTP:

  1. The QR code you scanned is your private key. You could take a screenshot of this QR code, print a copy of it, and keep it locked in a safe. If you loose your phone, you can simply rescan your QR codes with your new phone. If you do this, be sure to shred (not just delete) the screenshot from your computer after you print it.
  2. Use the "Titanium Backup" app. This free, but not FLOSS.
  3. Use the ADB = Android DeBugger CLI tool in linux to create a backup. This doesn't work for all apps, but it's been documented to work for FreeOTP at least.
       adb backup -all -apk -f backup.ab # backup all apps
       adb backup -f backup.ab org.fedorahosted.freeotp # backup just freeotp

Of course, your backups should be encrypted. If you don't know how to make secure backups, it's probably best that you just make sure that your website has multiple users (with distinct phones running a TOTP app) set as admins.

See Also

  1. Wordpress
  2. OSE Server
Retrieved from "https://wiki.opensourceecology.org/index.php?title=2FA&oldid=163625"