Jump to content
Adam

FIDO/U2F Two Factor Authentication

Recommended Posts

Well, it's only day 2 of this module's use with folks other than yourself (as far as I can tell), so I wouldn't worry too much about it being "hacky" (from a code pov) at the moment. There are a few UX issues that did get me confused though, and these might be worth your consideration.

Firstly, as you mentioned, the key registration process on the user account page is not intuitive. On most other websites where I have registered keys, you are allowed to name the keys and manage them individually. Whilst not being able to name/manage them is fine, I think the wording/flow of key registration could possibly be improved. Perhaps a pop-up when a key registration is successful? I ended up having to turn on the developer tools to look at the debug messages in the console to see when a registration went through OK.

Secondly, could the two buttons ("Use Security Key" and "Submit") on the 2nd factor page be removed/hidden, as far as I can tell, neither of them needs to be visible - at least not for a Yubikey - as activating the key submits the page. Do these buttons need to be visible for other U2F key types? 

Share this post


Link to post
Share on other sites

@netcarver day 2 of existence actually was just a late night idea I decided to go with.

The is actually a message that says it was successful and also counts when you do more than 1 key. but I should make it clearer I will look into that. the managing/naming is not going to be possible though as the settings actually vanish once you save the page. This is just how the Tfa class works as far as I can tell. but maybe I am wrong. the is not much documentation on the Tfa class besides the API and the 2x examples from ryan

the buttons got added for the initial tests. the Use button does have a purpose. if for some reason it don't automaticity prompt or you accidentally exit the prompt you can use that button to restart the security key process without logging back in again. the submit button is indeed useless though. Originally it was a click the use button then click the submit button but now the JS behind it is more sophisticated and starts the auth process and submits the form on success so I can remove the submit button. but I think the use button could be handy to keep.

  • Like 1

Share this post


Link to post
Share on other sites

Hmm, there's something odd here:

I have installed this module, used the admin account to modify a less-privileged account (changed tfa_type, added a security key). Then I tried to log in as that user ... and was logged in without that second factor. No need to press my hardware button, even worked with the security key plugged out.
Does this possibly depend on another module which enables 2FA before login is dispatched to your module?

Thank you for you effort. I'm really looking forward to using my FIDO for ProcessWire.

Share this post


Link to post
Share on other sites

@bee8bit Interesting. Any logs at all? if your getting nothing at all then that sounds to me like ProcessWire is not seeing that TFA is enabled. Does it say TFA is enabled under the users profile?

What version of ProcessWire are you using too

Share this post


Link to post
Share on other sites
14 minutes ago, bee8bit said:

Does this possibly depend on another module which enables 2FA before login is dispatched to your module?

Ah, same problem with other 2FA modules. And probably the answer:

I am using a custom login form and $session->login(). This seems to circumvent any second factor!
Now i have to research if there is any way to trigger two-factor authentication from the api.

Share this post


Link to post
Share on other sites

@bee8bit The are ways to call it from the API https://processwire.com/api/ref/tfa/

I have no idea how your custom login form works but I assume your going to need to do some modifications. it will need to check that TFA is active, build the form and process the TFA request. Or if its something another user has created maybe just pester them a lot to update their module to support the TFA class that has been out for like a year already

  • Like 1

Share this post


Link to post
Share on other sites
3 minutes ago, Adam said:

@bee8bit Interesting. Any logs at all? if your getting nothing at all then that sounds to me like ProcessWire is not seeing that TFA is enabled. Does it say TFA is enabled under the users profile?

What version of ProcessWire are you using too

Thank you, Adam!

Right, nothing in the logs. ProcessWire is not seeing that TFA is enabled, because I'm not using ProcessWire's own login form but the API. We could ask Ryan if he just overlooked this or if there is reasoning for keeping $session->login() open without the second factor. Version is 3.0.123.

Martin

Share this post


Link to post
Share on other sites

@bee8bit Surprised to see that the login function dont implement TFA. I am going on a whim and saying Ryan left it open to prevent breaking existing modules that are not built to support TFA. but does seem like a bit of a security issue if you can disable TFA by enabling a custom login form plugin. it should deny the login when it cant do TFA

Share this post


Link to post
Share on other sites

@bee8bit the TFA class is kinda a secret outside of that API page XD I think I am the only 3rd party dev to use the TFA class also.

Annoyingly the is a TFA category on the modules directory. but I cant add my module to said category. so the is a link somewhere in processwire that takes you to http://modules.processwire.com/categories/tfa/ where you only see Ryan's own modules. its a shame that the TFA module has so much potential but it feels kinda like something that was developed then hidden away from devs and users

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...