Project

General

Profile

Actions

Task #2506

closed

Authentication: Two factor authentication

Added by Radek Tomiška about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Radek Tomiška
Category:
Authentication / Authorization
Target version:
Start date:
10/01/2020
Due date:
% Done:

100%

Estimated time:
Owner:

Description

Provide an verification token during authentication – a one-time password verification code based on Time-based One-time Password TOTP algorithm.


Related issues

Related to IdStory Identity Manager - Task #1199: Token - add agendaClosedRadek Tomiška07/26/2018

Actions
Related to IdStory Identity Manager - Task #473: Public endpoints must bypass BE Authentication filtersClosedRadek Tomiška06/01/2017

Actions
Related to IdStory Identity Manager - Defect #2761: SSO: Token expiration is thrown under SSO (expiration modal window is shown, but login is not possible because SSO)ClosedRadek Tomiška04/16/2021

Actions
Related to IdStory Identity Manager - Defect #1572: Logon attempts exceeded with SSOClosedRadek Tomiška03/21/2019

Actions
Actions #1

Updated by Radek Tomiška about 4 years ago

  • Status changed from New to In Progress
Actions #2

Updated by Radek Tomiška about 4 years ago

  • % Done changed from 0 to 20

PoC is available in branch https://github.com/bcvsolutions/CzechIdMng/tree/rtomiska/2506-authenticator:
- verification code is required for all now
- code verification is executed directly in LoginController. Code verification is based on time => no other third party server is called.

TODO:
- integrate mechanism to the right place (move logic from LoginController => AuthenticationManager) => include verification code in token.
- redirect to new page with verification code only after successfull login (implement authentication filter to check verification code is given).
- generate and persist identity secret (Base32) - which entity will be used (IdmIdentity, IdmPassword, IdmProfile)?
- enable / disable two factor authentication - which entity will be used (IdmIdentity, IdmPassword, IdmProfile, IdmPasswordPolicy or global application setting)?

Actions #3

Updated by Radek Tomiška about 4 years ago

  • % Done changed from 20 to 50

Added:
- TwoFactorAuthenticationManager api created and mechanism moved to right place (but a lot of FIXME remain - authentication mechanism redesign is needed)
- identity secret (Base32) added to password entity (same as password - no audit, no return to ui except the init phase)
- enable / disable two factor authentication added to identity profile
- authentication token is not valid since two factor authentication succeed

TODO:
- redirect to new page with verification code only after successfull login (implement authentication filter to check verification code is given).
- notification (~sms) fallback + notification topic
- showLoading is stucked on verification code, when error occurs (e.g. token expires)
- remote user - disable too, when two factor authentication is enabled? Maybe this will fit with superAdminRole workaround, which is implemented now.
- mssql change script
- recovery-codes?
- token agenda => support to add "system" token (basic and remote user authentication will not be possible, when two factor authentication is enabled).
- must change password => before or after two factor authentication?
- login expiration - show two factor too in this modal dialog

Actions #4

Updated by Radek Tomiška about 4 years ago

  • Target version changed from 10.6.0 to 10.7.0
Actions #5

Updated by Radek Tomiška about 4 years ago

  • % Done changed from 50 to 70

Added:
- redirect to new page with verification code only after successfull login (implement authentication filter to check verification code is given).
- showLoading is not stucked on verification code, when error occurs (e.g. token expires).
- sso requires two factor authentication too - after login by sso page with verification code is shown.
- basic authentication cannot be used with two factor authentication enabled => use "system" token.
- must change password is shown after successfull authentication (login by username => two factor => must change password => two factor => user is logged).
- login expiration - two factor is shown in this modal dialog too.

TODO:
- notification (~sms) fallback + notification topic
- mssql change script
- test
- documentation
- token agenda => support to add "system" token (basic and remote user authentication will not be possible, when two factor authentication is enabled) - #1199

Actions #6

Updated by Radek Tomiška about 4 years ago

Actions #7

Updated by Radek Tomiška about 4 years ago

  • Related to Task #473: Public endpoints must bypass BE Authentication filters added
Actions #8

Updated by Radek Tomiška about 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 70 to 90
Actions #9

Updated by Vít Švanda about 4 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 100

I did review and tested many scenarios, this feature is very complex (refactoring especially). Thanks for this awesome feature and fix bugs.

Review notes:
- Update of ERD missing.

Actions #10

Updated by Radek Tomiška about 4 years ago

Thx for feedback, ERD diagram updated.

Actions #11

Updated by Radek Tomiška about 4 years ago

  • Status changed from Resolved to Closed
Actions #12

Updated by Radek Tomiška over 3 years ago

  • Related to Defect #2761: SSO: Token expiration is thrown under SSO (expiration modal window is shown, but login is not possible because SSO) added
Actions #13

Updated by Radek Tomiška over 3 years ago

  • Related to Defect #1572: Logon attempts exceeded with SSO added
Actions

Also available in: Atom PDF