Task #2506
closedAuthentication: Two factor authentication
100%
Description
Provide an verification token during authentication – a one-time password verification code based on Time-based One-time Password TOTP algorithm.
Related issues
Updated by Radek Tomiška about 4 years ago
- Status changed from New to In Progress
Updated by Radek Tomiška about 4 years ago
- % Done changed from 0 to 20
PoC is available in branch https://github.com/bcvsolutions/CzechIdMng/tree/rtomiska/2506-authenticator:
- verification code is required for all now
- code verification is executed directly in LoginController. Code verification is based on time => no other third party server is called.
TODO:
- integrate mechanism to the right place (move logic from LoginController => AuthenticationManager) => include verification code in token.
- redirect to new page with verification code only after successfull login (implement authentication filter to check verification code is given).
- generate and persist identity secret (Base32) - which entity will be used (IdmIdentity, IdmPassword, IdmProfile)?
- enable / disable two factor authentication - which entity will be used (IdmIdentity, IdmPassword, IdmProfile, IdmPasswordPolicy or global application setting)?
Updated by Radek Tomiška about 4 years ago
- % Done changed from 20 to 50
Added:
- TwoFactorAuthenticationManager api created and mechanism moved to right place (but a lot of FIXME remain - authentication mechanism redesign is needed)
- identity secret (Base32) added to password entity (same as password - no audit, no return to ui except the init phase)
- enable / disable two factor authentication added to identity profile
- authentication token is not valid since two factor authentication succeed
TODO:
- redirect to new page with verification code only after successfull login (implement authentication filter to check verification code is given).
- notification (~sms) fallback + notification topic
- showLoading is stucked on verification code, when error occurs (e.g. token expires)
- remote user - disable too, when two factor authentication is enabled? Maybe this will fit with superAdminRole workaround, which is implemented now.
- mssql change script
- recovery-codes?
- token agenda => support to add "system" token (basic and remote user authentication will not be possible, when two factor authentication is enabled).
- must change password => before or after two factor authentication?
- login expiration - show two factor too in this modal dialog
Updated by Radek Tomiška about 4 years ago
- Target version changed from 10.6.0 to 10.7.0
Updated by Radek Tomiška about 4 years ago
- % Done changed from 50 to 70
Added:
- redirect to new page with verification code only after successfull login (implement authentication filter to check verification code is given).
- showLoading is not stucked on verification code, when error occurs (e.g. token expires).
- sso requires two factor authentication too - after login by sso page with verification code is shown.
- basic authentication cannot be used with two factor authentication enabled => use "system" token.
- must change password is shown after successfull authentication (login by username => two factor => must change password => two factor => user is logged).
- login expiration - two factor is shown in this modal dialog too.
TODO:
- notification (~sms) fallback + notification topic
- mssql change script
- test
- documentation
- token agenda => support to add "system" token (basic and remote user authentication will not be possible, when two factor authentication is enabled) - #1199
Updated by Radek Tomiška about 4 years ago
- Related to Task #1199: Token - add agenda added
Updated by Radek Tomiška about 4 years ago
- Related to Task #473: Public endpoints must bypass BE Authentication filters added
Updated by Radek Tomiška about 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 70 to 90
Feature is implemented.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/6a460fd1c3cf92319dfbe509e63418777702810b
Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/security#two-factor_authentication
https://wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#two-factor_authentication
Could you provide me a feedback, please?
Updated by Vít Švanda about 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did review and tested many scenarios, this feature is very complex (refactoring especially). Thanks for this awesome feature and fix bugs.
Review notes:
- Update of ERD missing.
Updated by Radek Tomiška about 4 years ago
Thx for feedback, ERD diagram updated.
Updated by Radek Tomiška about 4 years ago
- Status changed from Resolved to Closed
Updated by Radek Tomiška over 3 years ago
- Related to Defect #2761: SSO: Token expiration is thrown under SSO (expiration modal window is shown, but login is not possible because SSO) added
Updated by Radek Tomiška over 3 years ago
- Related to Defect #1572: Logon attempts exceeded with SSO added