dex icon indicating copy to clipboard operation
dex copied to clipboard

Published 20 hours ago verified publisher icon dexidp

Two-Factor authentication (TOTP)

Open nabokihms opened this issue 1 year ago • 8 comments

Overview

This pull request implements two-factor authentication (2FA) in Dex. The 2FA data is securely stored within the OfflineSessions object, enhancing security for connectors that lack built-in 2FA support, such as LDAP and local connectors. Upon first login, users will save their 2FA settings using a QR code, after which they will use the saved 2FA for subsequent logins. Below is an example configuration for enabling 2FA:

# Configuration for the two-factor authentication
twoFactorAuthn:
  issuer: "dex"
  connectors:
    - mock

What this PR does / why we need it

Enhancing Dex with 2FA adds an additional layer of security, making unauthorized access significantly more difficult. This is particularly valuable for connectors like LDAP and local connectors that do not inherently support 2FA. By implementing 2FA, we align Dex with industry best practices for identity management, meet higher security compliance requirements, and ensure better protection for user data, thereby building greater trust with our users.

Special notes for your reviewer

image

image

nabokihms avatar Aug 26 '24 21:08 nabokihms

closes https://github.com/dexidp/dex/issues/352

nabokihms avatar Sep 12 '24 22:09 nabokihms

closes https://github.com/dexidp/dex/issues/1547

nabokihms avatar Sep 12 '24 23:09 nabokihms

closes https://github.com/dexidp/dex/pull/1270

nabokihms avatar Sep 12 '24 23:09 nabokihms

I'm not a maintainer nor a reviewer so I'm not sure this is the best place to ask this, but would it be possible to display the "textual" code below the QR code?

This is useful when you can't scan the QR code, for example when your TOTP application is directly on your computer.

(Edit: typo)

sambonbonne avatar Dec 03 '24 12:12 sambonbonne

Do we know if we are going to see this merge in the near future ? This would be a great feature to see deployed. As more and more security requirement ask for 2FA on auth provider.

lanord avatar Dec 11 '24 15:12 lanord

@sambonbonne good addition, thanks! @lanord I am willing to merge it this year after figuring out some API nuances.

nabokihms avatar Jan 14 '25 20:01 nabokihms

@nabokihms Is there a way to fund the work in this PR?

Kludex avatar Jan 28 '25 13:01 Kludex

Nice feature to have indeed.

Have you considered supporting slapo-otp(5) when you started the project?

shaohme avatar Apr 09 '25 07:04 shaohme

Hi, is TOTP still planned for this year? My team would like to use this amazing feature with local connectors. :pray:

A small update: I've taken a look at the PR and noticed that totp.Generate is always called with an empty secret option and generally it is good to have it randomized, but for simpler use cases (e.g. in-memory storage), it might be worth supporting a static secret in order to keep offlineSessions.TOTP idempotent between restarts. Kind of similar to how static passwords are already handled in Dex.

p-alexander avatar Oct 04 '25 08:10 p-alexander