icingaweb2 icon indicating copy to clipboard operation
icingaweb2 copied to clipboard

Published 20 hours ago verified publisher icon Icinga

feature request: two factor authentication support for FIDO U2F / WebAuthn

Open appliedprivacy opened this issue 6 years ago • 6 comments

Protecting icingaweb2 logins is critical for us, so we would like to require all our icingaweb2 users on our instance to use their fido U2F or webauth hardware tokens (yubikey, nitrokey,...) for strong authentication.

Describe the solution you'd like

Support for two factor authentication when using a database authentication backend.

It were great if 2FA could be enforced and more than a single token could be assigned to an account (backup token).

Describe alternatives you've considered

OTPs via googleauthenticator is less convenient (users have to type in a PIN from the phone instead of just pressing a button on a hardware key) and less secure since it relies on a shared secret that needs to be stored on the server instead of using public key cryptography.

appliedprivacy avatar Jul 28 '19 07:07 appliedprivacy

IMAO whether to enforce it shall be up to the local IW2 admin.

Al2Klimov avatar Apr 03 '20 15:04 Al2Klimov

xFA methods

2FA: OTP

Setup

  1. With your app you scan a QR code from your IW2 preferences page.
  2. Your app shows a code and you enter it into IW2.

Login

After entering your password, IW2 asks you for the OTP from your app.

Pros

  • Users don't have to own any special/new hardware
  • Works w/ the IW2 API (you have to provide it in an extra header)
  • Works w/ basic-authn-ing reverse proxies

Cons

  • As the reporter said: A shared secret stored on the server

2FA: U2F hardware

Setup

Your IW2 preferences page asks for e.g. the USB key – plug it in and press the button.

Login

After entering your password, IW2 asks you for e.g. the USB key – plug it in and press the button.

Pros

  • No shared secret stored on the server
  • Works w/ basic-authn-ing reverse proxies

Cons

  • Users have to own special/new hardware
  • Doesn't work w/ the IW2 API

"1FA": FIDO2 hardware

Setup

The IW2 page for registering a new user account asks for your new username and e.g. the USB key – plug it in and press the button.

Login

IW2 asks you for e.g. the USB key – plug it in and press the button.

Pros

  • No shared secret stored on the server
  • No password (and username?) to enter at all

Cons

  • Users have to own special and new hardware and new software
  • Doesn't work w/ the IW2 API
  • Doesn't work w/ basic-authn-ing reverse proxies

Al2Klimov avatar Apr 03 '20 15:04 Al2Klimov

I'd opt for just OTP 2FA (see the pros/cons). Btw. I'm using it myself on GitHub and Hetzner.

@lippserd @nilmerg Please comment.

Al2Klimov avatar Apr 03 '20 16:04 Al2Klimov

Great so see some activity in this issue, thanks for moving it forward.

An additional point:

OTPs are vulnerable to phishing, which WebAuthn is not.

I'd also like to point out that you might want to also consider multiple options so that users and administrators can choose the options according to their needs.

From a security point of view it is clear that OTPs are a lot weaker than WebAuthn/U2F.

appliedprivacy avatar Apr 18 '20 17:04 appliedprivacy

Anyway, MFA for Icinga Web is dead for now: https://community.icinga.com/t/2fa-for-icinga-web-2/3991/13

Al2Klimov avatar Apr 20 '20 08:04 Al2Klimov

This task is relevant to NIS2 regulation in EU. 2FA is required for all regulated entities. Probably almost all companies in EU using icinga2, will be regulated by NIS2. I recommend to include this task in the next release.

rpajik avatar Nov 03 '23 06:11 rpajik