Jump to content
ryan

Blog post: 2-factor authentication and PW

Recommended Posts

This week we’re going to discuss a new security feature that’s currently in development on the dev branch: 2-factor authentication. In this post we look at the benefits of 2FA, how it works, the coming implementation in ProcessWire, and more: 

https://processwire.com/blog/posts/2-factor-authentication-coming-to-processwire/

  • Like 14

Share this post


Link to post
Share on other sites

Yes! Very pleased to see this finally make it into the core. Thanks for mentioning my old module too - as it happens, I'm still using it, and just updated it to work with PHP7.2.

Thanks, Ryan.

  • Like 3

Share this post


Link to post
Share on other sites

Thanks Ryan!

While I think this is a great idea in principle, I can't honestly see any of my clients wanting to use this. I guess at least protecting superuser accounts will be a nice improvement.

Does anyone else think this will be a hard sell to clients, or do you think they will be really keen to use it? Maybe I need different clients 😉

  • Like 1

Share this post


Link to post
Share on other sites

@adrian

I guess it will vary. I can't see people with smallish brochure sites wanting it.

However, I'm currently using PW to build an admin system for a charity. Most of the users are probably using their (child|spouse|pet)'s name + a year of birth as their password, yet they are trusted to handle their own client's confidential information on the system. I see 2FA as a big win for this kind of user, as a small change in log-in protocol can bring in a big benefit for the charity and its clients, by mitigating the risk of such poor passwords.

  • Like 6

Share this post


Link to post
Share on other sites

I reckon superusers will have the option to force 2FA upon all users, won't they? So far it sounds like this bit is not yet implemented, quote:
"Once enabled, individual users CAN ENABLE 2-factor authentication for their account in the ProcessWire user profile editor."

Share this post


Link to post
Share on other sites

Tried to download the Google authenticator but comments show that it is not very popular among users. One of the most common complains is that you will lose all your keys when you switch to a new phone and then you cannot login all the 2FA accounts.

Gideon

Share this post


Link to post
Share on other sites
10 hours ago, pwired said:

Why does it need to be in the core and not a module ?

From the blog post:
"This will enable us to support different types 2-factor authentication and different providers. Much in the same way that we support different types of email providers with WireMail modules."

I think there must be API based support to make individual authentication methods easier to implement.

  • Like 1

Share this post


Link to post
Share on other sites

Instead of assuming clients won't need or want this kind of feature I asked some of my clients today already and some of those who have more than 1 or 2 editors are welcoming such a feature. 

There are concerns but those shouldn't be the problem as I think that Ryan and therefore ProcessWire will take care of those things.

The concerns were:

  • the possibility of a reset for already saved tokens (I don't know how and if this will work with the Google app)
  • the possibility to reset passwords and disabling 2FA for a user
  • the possibility to have exact one user to maintain those settings
  • the possibility to enable/disable it site-wide with a config-entry

One client (a one-man business) asked if it's possible to remove username/password and just use this kind of token to login. 

I personally would use this on my personal sites but won't use it on client sites, as this part could end in an extra amount of work for me.

  • Like 2

Share this post


Link to post
Share on other sites
Quote

I reckon superusers will have the option to force 2FA upon all users, won't they? So far it sounds like this bit is not yet implemented, 

I don't plan on forcing the option, though had thought that when enabled, we'd give them a login warning notification asking them to enable it, every time they login. I haven't come across any services that forces me to 2FA yet, though I know some companies require it internally. But I think it might depend on the 2FA method being used before you could say if it would be a good idea to force it or not. There are times where you might want to disable 2FA temporarily too. So I think it's best to let the user control it, and maybe annoy them a bit with warnings when they aren't using it. But this is one of those things where I think we'll start fairly simple, but then start fine tuning the options according to what we find are the needs of people using it. 

Quote

Why does it need to be in the core and not a module ?

I think support in the core is consistent with PW's strategy of making security the top priority. I think we are soon reaching the time (or already have in some cases) where 2FA is considered essential in order for an online application to be taken seriously as having an emphasis on security. I consider it essential for any other online account I maintain (as I imagine many do), so it should be in PW too. If we step outside the security aspect, I think it also builds trust and checks boxes for a lot of bigger companies that may be considering PW or comparing to other options. 

The support and interface for it will be in the core. The implementation of the interface will be in modules. There will very likely be one implementation module included in the core, though I'm not 100% positive on that yet. Either way, I'll be building and maintaining at least one of the modules that supports it. 

Quote

Tried to download the Google authenticator but comments show that it is not very popular among users. One of the most common complains is that you will lose all your keys when you switch to a new phone and then you cannot login all the 2FA accounts.

As I understand it, Google Authenticator is just a standard implementation of RFC 6238 and RFC 4226, like any number of other authenticator apps. As far as I know, they are compatible with each other, but Google Authenticator is just the most widely known/used. I think the compliant you mentioned is the nature of the technology, and not really anything about Google Authenticator in particular. But the complaint is also the reason why it's secure. Once one understands how it works and the steps they should take, I think it all make sense. I'll try to describe. 

The reality is that 2FA is an extra step, which you can't deny is an inconvenience.  But it's like locking your door before you leave the house. Nobody likes having to take extra steps, what they like is the security benefit (if they understand it). And if you lose your keys, then yes you are locked out, unless you've got a backup method. This is why services typically provide backup 2FA methods (like SMS) or one-time use backup codes that you can store securely somewhere in case you ever lose your device. 

For every place where you use 2FA, you've established "a secret" between your device and the service/website (a long base32 string, which can also be represented by a QR code image). The reason it is secure is because it's not shared anywhere else. If that secret were stored up in the cloud or synced between devices and such, then it is becoming less secure. It is getting passed around networks just like your password, which kind of defeats the purpose of 2FA. 

If you buy a new phone, and can't restore backup data from your old phone for some reason, the yes you'd want to reset your 2FA for the new phone. If you've got your old device handy, then you'd switch the 2FA to your new device. If your old device is lost or non-functional, then this is where a backup method and/or one-time use code would come into play. If those options weren't available, when it comes to PW, one could also fix any of this by asking a superuser to reset it even temporarily disabling from $config (if nobody had admin access). 

Quote

the possibility of a reset for already saved tokens (I don't know how and if this will work with the Google app)

As I understand it, this is simply a matter of a user 2FA off for some account, then turning it back on, so they can establish a new secret/QR code.

Quote

the possibility to reset passwords and disabling 2FA for a user

There's already a password reset module built into PW. 2FA can be disabled for any individual account as needed. 

Quote

the possibility to have exact one user to maintain those settings

This is what the superuser account is for. 🙂

Quote

the possibility to enable/disable it site-wide with a config-entry

This is definitely part of the plan. Though with the 2FA methods I've been working with, we can't enable it for anyone that hasn't set it up themselves. Maybe with Netcarver's PPP module when using email, it could work. Or maybe it would work with SMS when you've already got the user's mobile phone number stored. 

Quote

One client (a one-man business) asked if it's possible to remove username/password and just use this kind of token to login. 

It needs to know the user name in order to be able to look up the user-specific secret for the codes. Technically it doesn't need the password. But 2FA without a password is no longer two-factor, and would have its own security problems, which might be even worse than not having 2FA in the first place. If someone gets a hold of your device, and needs no password for your account, then they essentially have access to your account. Whereas, the intention with 2FA is that both your password AND your device are necessary. It's that combination of factors that makes it secure. 

 

  • Like 8

Share this post


Link to post
Share on other sites
5 minutes ago, ryan said:
Quote

the possibility of a reset for already saved tokens (I don't know how and if this will work with the Google app)

As I understand it, this is simply a matter of a user 2FA off for some account, then turning it back on, so they can establish a new secret/QR code.

This is exact what the client is asking for. So it seems to be a perfect fit for them.

6 minutes ago, ryan said:
Quote

the possibility to enable/disable it site-wide with a config-entry

This is definitely part of the plan. Though with the 2FA methods I've been working with, we can't enable it for anyone that hasn't set it up themselves. Maybe with Netcarver's PPP module when using email, it could work. Or maybe it would work with SMS when you've already got the user's mobile phone number stored. 

I guess they want kind of a soft force to motivate the editors to use 2FA. In this case they might actually prefer the e-mail way as the users/editors use their corporate e-mail addresses. 

9 minutes ago, ryan said:
Quote

One client (a one-man business) asked if it's possible to remove username/password and just use this kind of token to login. 

It needs to know the user name in order to be able to look up the user-specific secret for the codes. Technically it doesn't need the password. But 2FA without a password is no longer two-factor, and would have its own security problems, which might be even worse than not having 2FA in the first place. If someone gets a hold of your device, and needs no password for your account, then they essentially have access to your account. Whereas, the intention with 2FA is that both your password AND your device are necessary. It's that combination of factors that makes it secure. 

I can totally agree with that.

I personally think that the 2FA could be a perfect thing to remove the password but keepign username of course (in this case) - the password is so often a problem. I know that removing the password makes 2FA kind of weak but replacing the password with a one-time-token could although be a nice option for those who don't play nice with passwords. 😉

We will see and I will try 2FA with some of my clients.

Share this post


Link to post
Share on other sites

I'm looking forward to the 2FA updates.  I'm hearing of more and more companies forcing 2FA with their email systems(GSuite or Office365).  We've had these discussions and will probably do this at our company as well.   Once people start getting used to using it with their email and banks, they will start to expect it with their websites as well.  I agree with Ryan, I think it will look good if Processwire already has this security built in.  It builds trust with larger organizations.

As a website administrator, I currently have to set up a secure password for each of my site editors so they don't get hacked.  I can't rely on them doing it.  I also have to disable them from reseting their password to something easier to remember.  With 2FA, I don't care what they set their password to.

It would be nice if we could somehow require/force 2FA for specific roles like Site Editors.

I'm not sure if this is a different technology then 2FA, but when using G-Suite, you also have the option to use the Google Prompt. https://support.google.com/accounts/answer/7026266  This makes it much easier to sign into accounts.  I wonder if that is just a Google thing, or if that is something that Processwire can utilize as well?

They also offer several different ways to authenticate https://support.google.com/a/answer/175197?hl=en including Yubi Keys, Google Authenticator App, Google Prompt, SMS text message codes, and backup codes.

  • Like 3

Share this post


Link to post
Share on other sites

I usually post to the blog on Fridays, but I've been working on ProcessWire-based client projects this week, so nothing new to post today. I'm back to working on the core next week and continuing the 2FA development, so will have more next week. Thanks and I hope that you have a great weekend.

  • Like 10

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...