Jump to content

FIDO/U2F Two Factor Authentication


Adam
 Share

Recommended Posts

Well, it's only day 2 of this module's use with folks other than yourself (as far as I can tell), so I wouldn't worry too much about it being "hacky" (from a code pov) at the moment. There are a few UX issues that did get me confused though, and these might be worth your consideration.

Firstly, as you mentioned, the key registration process on the user account page is not intuitive. On most other websites where I have registered keys, you are allowed to name the keys and manage them individually. Whilst not being able to name/manage them is fine, I think the wording/flow of key registration could possibly be improved. Perhaps a pop-up when a key registration is successful? I ended up having to turn on the developer tools to look at the debug messages in the console to see when a registration went through OK.

Secondly, could the two buttons ("Use Security Key" and "Submit") on the 2nd factor page be removed/hidden, as far as I can tell, neither of them needs to be visible - at least not for a Yubikey - as activating the key submits the page. Do these buttons need to be visible for other U2F key types? 

Link to comment
Share on other sites

@netcarver day 2 of existence actually was just a late night idea I decided to go with.

The is actually a message that says it was successful and also counts when you do more than 1 key. but I should make it clearer I will look into that. the managing/naming is not going to be possible though as the settings actually vanish once you save the page. This is just how the Tfa class works as far as I can tell. but maybe I am wrong. the is not much documentation on the Tfa class besides the API and the 2x examples from ryan

the buttons got added for the initial tests. the Use button does have a purpose. if for some reason it don't automaticity prompt or you accidentally exit the prompt you can use that button to restart the security key process without logging back in again. the submit button is indeed useless though. Originally it was a click the use button then click the submit button but now the JS behind it is more sophisticated and starts the auth process and submits the form on success so I can remove the submit button. but I think the use button could be handy to keep.

  • Like 1
Link to comment
Share on other sites

  • 1 month later...

Hmm, there's something odd here:

I have installed this module, used the admin account to modify a less-privileged account (changed tfa_type, added a security key). Then I tried to log in as that user ... and was logged in without that second factor. No need to press my hardware button, even worked with the security key plugged out.
Does this possibly depend on another module which enables 2FA before login is dispatched to your module?

Thank you for you effort. I'm really looking forward to using my FIDO for ProcessWire.

Link to comment
Share on other sites

@bee8bit Interesting. Any logs at all? if your getting nothing at all then that sounds to me like ProcessWire is not seeing that TFA is enabled. Does it say TFA is enabled under the users profile?

What version of ProcessWire are you using too

Link to comment
Share on other sites

14 minutes ago, bee8bit said:

Does this possibly depend on another module which enables 2FA before login is dispatched to your module?

Ah, same problem with other 2FA modules. And probably the answer:

I am using a custom login form and $session->login(). This seems to circumvent any second factor!
Now i have to research if there is any way to trigger two-factor authentication from the api.

Link to comment
Share on other sites

@bee8bit The are ways to call it from the API https://processwire.com/api/ref/tfa/

I have no idea how your custom login form works but I assume your going to need to do some modifications. it will need to check that TFA is active, build the form and process the TFA request. Or if its something another user has created maybe just pester them a lot to update their module to support the TFA class that has been out for like a year already

  • Like 1
Link to comment
Share on other sites

3 minutes ago, Adam said:

@bee8bit Interesting. Any logs at all? if your getting nothing at all then that sounds to me like ProcessWire is not seeing that TFA is enabled. Does it say TFA is enabled under the users profile?

What version of ProcessWire are you using too

Thank you, Adam!

Right, nothing in the logs. ProcessWire is not seeing that TFA is enabled, because I'm not using ProcessWire's own login form but the API. We could ask Ryan if he just overlooked this or if there is reasoning for keeping $session->login() open without the second factor. Version is 3.0.123.

Martin

Link to comment
Share on other sites

@bee8bit Surprised to see that the login function dont implement TFA. I am going on a whim and saying Ryan left it open to prevent breaking existing modules that are not built to support TFA. but does seem like a bit of a security issue if you can disable TFA by enabling a custom login form plugin. it should deny the login when it cant do TFA

Link to comment
Share on other sites

@bee8bit the TFA class is kinda a secret outside of that API page XD I think I am the only 3rd party dev to use the TFA class also.

Annoyingly the is a TFA category on the modules directory. but I cant add my module to said category. so the is a link somewhere in processwire that takes you to http://modules.processwire.com/categories/tfa/ where you only see Ryan's own modules. its a shame that the TFA module has so much potential but it feels kinda like something that was developed then hidden away from devs and users

  • Like 1
Link to comment
Share on other sites

  • 1 year later...

Hi @Adam

First of all, thank you for the module! I wanted to try it out myself now, but I can't get any further.
I think I'm being a bit of a jerk, but I could use some help. 

I have downloaded the module and successfully installed it on a new ProcessWire installation.
There are no other modules installed separately. 

When I change the 2FA type to U2F on a user no option to store a key comes up (no error in the console either). 
I tried it on a site with domain and TLS/https and on localhost. 

Do you have any idea what it could be? Do I have to configure something somewhere to make it work?

 

Link to comment
Share on other sites

@androbey I think @netcarver is right you have to save then add your keys. This module could really do with an overhaul to be honest but it's a proof of concept that works well enough.

as for localhost that will never work unless you have self signed SSL setup. U2F/FIDO require SSL to work.

If you are still having issues just shoot another reply and I will spin up a new ProcessWire instance and test it. might have been broken with an update to ProcessWire

Link to comment
Share on other sites

Yeah, that is the strange part. I don't get this option to set up the key. 

I have self signed SSL set up locally. But result is the same with SSL turned off (no errors whatsoever). 

To check if something else is wrong with my setup I installed the TOTP module, which shows the option (with QR code) after changing and saving the user page.

Link to comment
Share on other sites

@Adam Thank you! It works very well now. 

I also tried to include it on a front end login page (which does not use the Login/Register (pro) module).

With the example in the Tfa class the authorization form was never called and I figured it was because the tfa token changed because tfa's success method was called without tfa being started yet. So the token was reset and hence mismatched with the token in the get variable. Using a new session variable did the trick. I thought I'd share this if anyone also comes across this.

 

$tfa = new Tfa();
$tfaStarted = $session->get('tfa_started');

if ($tfaStarted && $tfa->success()) {
  //redirect to some page if logged in
  $session->redirect('/some/page');
} else if ($tfa->active()) {
  //only set this variable if $tfa->active() is true. That also means the auth form is rendered. 
  $session->set('tfa_started', true);
  //echo the form somewhere in your HTML 
  $tfaRender = $tfa->render();
} else if ($input->post('login_request')) {
  //get input name and password (also CSRF token...)
  $inputName = $input->post('user_name');
  $inputPassword = $input->post('user_password');

  $tfa->start($inputName, $inputPassword);
  $session->remove('tfa_started');

  /*
   do regular login stuff here if user has no 2FA set up
  */
} else {
  // render login form
  if ($session->get('tfa_started')) {
    //remove session variable and reload page (otherwise $tfa->success() would be called)
    $session->remove('tfa_started');
    $session->redirect($page->url);
  }
}


/*
don't forget to include scripts in your HTML markup
<script src="<?= $config->urls->siteModules ?>TfaU2F/u2f-api/u2f-api-polyfill.js"></script>
<script src="<?= $config->urls->siteModules ?>TfaU2F/TfaU2F.js"></script>
*/

 

  • Like 1
Link to comment
Share on other sites

Hi @Adam I upgraded a live site to the new version and, unfortunately, the update causes a 500 internal server error on PW 3.0.148. I suspect you might need to add a PW version check before calling the parent init() function.  I've verified that it's the changed line by commenting it out and the module then functions properly again.

Link to comment
Share on other sites

@netcarver Thanks for the heads up. will work on an update. need to find out which version of Processwire they redid the Tfa stuff so I can do such a check. Really annoying change for me to be honest. No idea why the devs behind Processwire changed something in the Tfa to give it an init(). I guess older versions lacked an init() function and so my module cant call the parent function if it does not exist ? Seemed to work fine without it but I am sure the was a very logical reason behind the changes

Link to comment
Share on other sites

@netcarver Just published 1.0.3 it has a simple version check which should allow it to work on all versions 3.0.109 and up now ?

Have not tested it on a version below 3.0.165 however nor have I tested on a version below 3.0.130 which is when some changes to the getVersion function was made (but should not effect it how I have implemented it)

Let me know if that works for you now

  • Like 1
Link to comment
Share on other sites

  • 7 months later...

Adam, Thank you for this fantastic module. It works great with PW 3.0.165 and Yubiykeys.

Some additional thoughts:

  • I added three Yubikeys. In case of loss, how can I revoke one specific Yubikey? It looks like I have to turn off U2F and deactivate all keys. Then re-add all YubiKeys again, right?
  • How can I recover access due to PHP incompatibility or PW version issues? Can I remove TfaU2F from the site/modules directory?

Feature Request:

  1. You should add some highlighting when a new security key has been added. The confirmation changes so quickly and could be easily missed.
  2. A summary with all active keys and description field would be great.

Excellent work!

  • Like 2
Link to comment
Share on other sites

@howdytom You can not revoke a single key I am afraid. The reason is in ProcessWire (at least when I coded this, might of changed since then) TFA modules was a setup then your locked from configuration changes. So under the user settings once you enable the TFA it will only let you remove it instead of edit it. Thats out of my control but might of changed since I made this. Will look into it as I know its not great design how it is.

As for gaining access if something goes wrong I am pretty sure the best way to regain access would be through the database. As even if you remove the module ProcessWire will still see the user as having TFA enabled. I have not tested this myself I did some googling and found nothing about regaining access after TFA goes wrong bit strange to have no way to recover yourself.

When I get time I will look at adding some sort of confirmation messages that show more clearly that a new key has been added. As for a summary/description that should be doable but behind the scenes all the data for all the keys is being saved in one huge text field which is already imposing a limit of keys to about 10 if I recall correctly? (janky I know but at the time the was zero documentation on making custom TFA modules I was the first developer besides Ryan to make a TFA module)

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...