New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Two factor authentication login: new GoogleAuthenticator plugin on Marketplace! #2846
Comments
Can you please elaborate on this one? is it a proposal for core or a plugin? |
Changes to core are needed either way. |
It would be great to have, even using Google two factor authentication API. |
I started an implementation for two-factor authentication:
Some refactoring has to happen to the Login plugin in order to make this work. Right now the Auth mechanism depends on AuthRequest with extends Zend_Auth_AuthRequest (a dependency we should get rid of). AuthRequest only provides states for SUCCESS and FAILURE, but I need a new state "TWO_FACTOR_REQUIRED" to mark the attempt as valid (username + password correct, two factor secret missing). I would also like to propose a change in the authentication logic. The API.Request.authenticate event should be changed, so that we could offer alternative authentication methods that do NOT rely on token_auth. E.g. for two-factor auth, as an additional security feature we need at least token_auth + verfication_secret to authenticate the request. There might be other login solutions that would make the token_auth obsolete, so the API.Request.authenticate event should just pass the $_REQUEST array. Current status is attached as screenshot. |
Attachment: Two Factor Authentication in Admin backend |
It is a great feature for sure. You are welcome to refactor the Login plugin to make this possible. This feature has to be provided by a Plugin, not in core. It is better to keep such advanced yet awesome feature out of core. Investigate how this can be done with a refactor of Login class + adding new events to let plugin extend the ValidateUser/Login/Logout workflows. I suggest you submit your code as a Pull Request so we can further discuss the design. |
as a small first step it's good if you can get rid of Zend_Auth_AuthRequest as in general we'd like to move away from Zend_* (we'll tacke Registry and Log* for sure) |
I'll try to implement this in the Login plugin. There is no other solution IMO. Since two-factor auth comes after the normal Login process (username + password), the only way to implement this in a new plugin is by copying Login plugin.. (which I will not do) TOTP is a defacto standard (http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Public_Server_Implementations) across many services, so I really think this should be a core feature and provided by the Login plugin. The feature is not "advanced", it's just an improvement over the relatively low security Piwik currently provides (md5 + single salt). |
This should be back in the roadmap! |
Other free open source implementations of this exist, this reminds me of this 2FA plugin for WordPress, very nicely implemented. |
Two factor authentication for Piwik would be awesome! Especially the data of website visitors would be better protected against hackers. |
There are ways to approach this:
|
There is now a plugin for GoogleAuthenticator. See http://plugins.piwik.org/GoogleAuthenticator |
@sgiehl : how hard to allow API requests without the auth_code? |
Guess we would need to add app specific passwords or something like that. |
@sgiehl Well done, this looks epic. It is an excellent news for the Piwik community 🚀 |
I guess the issue can be closed and all further requests regarding two factor auth can go into the plugin github repository: https://github.com/sgiehl/piwik-plugin-GoogleAuthenticator @sgiehl I'll let you the pleasure the close it 🎉 |
Proposing Yubico integration initially since I already have a Yubikey.
Can look into other vendors later.
The text was updated successfully, but these errors were encountered: