two-factor icon indicating copy to clipboard operation
two-factor copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Add GPG provider ?

Open raed667 opened this issue 9 years ago • 4 comments

I have tried to add a GPG provider in a fork.

This can be useful for privacy conscious applications, where users are not meant to provide anything but a user-name and a public key.

How it works:

  1. User activates provider
  2. User submits public key
  3. Logout
  4. Login
  5. A random token is generated using wp_generate_password and saved in DB
  6. Token gets encrypted and displayed to user
  7. User decrypts token
  8. User submits token and compare with one saved in DB

There are better ways in PHP to generate randomness, however this is used just for the PoC/MVP.

raed667 avatar Nov 04 '16 23:11 raed667

I love this @RaedsLab!

What are the PHP dependencies for doing the PGP encryption/decryption? How common are they on shared hosting providers?

The code should use WordPress coding standards and you could open a pull request.

kasparsd avatar Nov 12 '16 19:11 kasparsd

Thanks @kasparsd

The idea it to use a pure PHP GPG implementation. So that the solution would not depend on the hosting machine.

Should I use composer for the library or should I put the current version under includes ?

raed667 avatar Nov 13 '16 13:11 raed667

It would have to go under includes -- WordPress Plugins don't really do composer in any functional way.

georgestephanis avatar Mar 28 '17 20:03 georgestephanis

Any chance this could be still implented these days? The fork seems to come pretty far, but is outdated nowadays.

ghost avatar Nov 03 '17 13:11 ghost

IMO this would be better as an add-on plugin, since the vast majority of folks have no clue what GPG is, and would struggle to use it even if they did. It seems like a very niche option.

iandunn avatar Oct 19 '22 16:10 iandunn

@iandunn I tend to agree with you. I will try to rework this as an add-on! Any pointers where I should look to see some example add-ons or doc?

raed667 avatar Oct 19 '22 20:10 raed667

Here's a few examples:

  • https://wordpress.org/plugins/two-factor-provider-webauthn/
  • https://github.com/mcguffin/two-factor-webauthn
  • https://github.com/WordPress/wordpress.org/tree/5551259/wordpress.org/public_html/wp-content/plugins/wporg-two-factor

The essential part is using the two_factor_providers filter to add a new provider. The class for that provider needs to extend Two_Factor_Provider. The built in providers can also be used as examples to some degree; the "Dummy" provider looks like a good example of the minimum needed.

If you run into any questions or confusing things, don't hesitate to ask. It'd be great to find out where the difficult parts of the process are and document them.

I'll go ahead and close this since the add-on approach is acceptable.

iandunn avatar Oct 19 '22 20:10 iandunn

Thanks for the help!

raed667 avatar Oct 19 '22 20:10 raed667

Here's another example I just noticed: https://github.com/shield-9/two-factor-sms

iandunn avatar Oct 20 '22 14:10 iandunn

Thanks!

I have an MVP working locally, it still needs proper error handling and i18n. But the more I work on this, the more I think it is a bad idea and it opens users to fishing attacks.

Probably, the only MFA I'm willing to stand behind today is webAuthn.

raed667 avatar Oct 20 '22 14:10 raed667