Can you please elaborate on this one? is it a proposal for core or a plugin?

Changes to core are needed either way.

It would be great to have, even using Google two factor authentication API.

I started an implementation for two-factor authentication:

• It integrates into the standard login
  • After entering username + password the Login checks if 2FA is activated and requires a two-factor auth secret
• A user can activate 2FA in UsersManager by scanning a QRCode and typing in the current number

Some refactoring has to happen to the Login plugin in order to make this work. Right now the Auth mechanism depends on AuthRequest with extends Zend_Auth_AuthRequest (a dependency we should get rid of). AuthRequest only provides states for SUCCESS and FAILURE, but I need a new state "TWO_FACTOR_REQUIRED" to mark the attempt as valid (username + password correct, two factor secret missing).

I would also like to propose a change in the authentication logic. The API.Request.authenticate event should be changed, so that we could offer alternative authentication methods that do NOT rely on token_auth. E.g. for two-factor auth, as an additional security feature we need at least token_auth + verfication_secret to authenticate the request. There might be other login solutions that would make the token_auth obsolete, so the API.Request.authenticate event should just pass the $_REQUEST array.

Current status is attached as screenshot.

Attachment: Two Factor Authentication in Admin backend
two-factor-auth-piwik.png

It is a great feature for sure. You are welcome to refactor the Login plugin to make this possible. This feature has to be provided by a Plugin, not in core. It is better to keep such advanced yet awesome feature out of core. Investigate how this can be done with a refactor of Login class + adding new events to let plugin extend the ValidateUser/Login/Logout workflows.

I suggest you submit your code as a Pull Request so we can further discuss the design.

as a small first step it's good if you can get rid of Zend_Auth_AuthRequest as in general we'd like to move away from Zend_* (we'll tacke Registry and Log* for sure)

I'll try to implement this in the Login plugin. There is no other solution IMO.

Since two-factor auth comes after the normal Login process (username + password), the only way to implement this in a new plugin is by copying Login plugin.. (which I will not do)

TOTP is a defacto standard (http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm#Public_Server_Implementations) across many services, so I really think this should be a core feature and provided by the Login plugin. The feature is not "advanced", it's just an improvement over the relatively low security Piwik currently provides (md5 + single salt).

This should be back in the roadmap!

Other free open source implementations of this exist, this reminds me of this 2FA plugin for WordPress, very nicely implemented.

Two factor authentication for Piwik would be awesome! Especially the data of website visitors would be better protected against hackers.
Maybe a Yubikey integration would also be possible. I live great with this gadget!

There are ways to approach this:

1. 2fa is enabled for everyone, so the pin is input on the same form as the user+password
2. 2fa is enabled per user, so requires an intermediate pin page

There is now a plugin for GoogleAuthenticator. See http://plugins.piwik.org/GoogleAuthenticator

@sgiehl : how hard to allow API requests without the auth_code?

Guess we would need to add app specific passwords or something like that.
Otherwise a login would be possible using token_auth in the url only

@sgiehl Well done, this looks epic. It is an excellent news for the Piwik community 🚀

@sgiehl app-specific passwords: #6559

I believe we can now close this one?

I guess the issue can be closed and all further requests regarding two factor auth can go into the plugin github repository: https://github.com/sgiehl/piwik-plugin-GoogleAuthenticator

@sgiehl I'll let you the pleasure the close it 🎉