userli icon indicating copy to clipboard operation
userli copied to clipboard

Two factor authentication

Open t2d opened this issue 6 years ago • 6 comments

Implement an easy 2FA solution with a symfony package. Maybe just OTP or U2F. It's only focused on the web interface, not IMAP/POP3.

t2d avatar Feb 05 '19 11:02 t2d

I started looking into this. The rough plan is:

  • Second factor is only required for userli login (not IMAP/POP3/SMTP).
  • For now only TOTP/google authentcator support. Webauthn etc. can come later.
  • Second factor can be set, recreated and deleted in account settings. User password is required for all of them.
  • Second factor gets deleted during recovery process.
  • Support for backup codes.

Would be nice to hear about comments and thoughts on this :blush:

doobry-systemli avatar Jul 11 '22 14:07 doobry-systemli

Generally, any work on this is highly appreciated. Thanks! Can you clarify the rationale behind just enabling it for HTTPS? In my opinion, this doesn't make too much sense without the ability to enable device-spcific passwords for IMAP etc.

t2d avatar Jul 11 '22 16:07 t2d

Also, have you looked at https://github.com/web-auth/webauthn-symfony-bundle? I'm not sure, but maybe webauthn isn't much more effort than TOTP?

t2d avatar Jul 11 '22 17:07 t2d

Generally, any work on this is highly appreciated. Thanks! Can you clarify the rationale behind just enabling it for HTTPS? In my opinion, this doesn't make too much sense without the ability to enable device-spcific passwords for IMAP etc.

Well, one step after another I'd say :wink: For sure device-specific passwords would be the next logical step, but that's a separate topic.

And even without device-specific passwords, 2FA-secured userli already protects your account: password, recovery token, configured aliases, OpenPGP keys in WKD all will be protected even if someone gets hold of your password and can access your account via IMAP/POP3/SMTP, no?

doobry-systemli avatar Jul 12 '22 08:07 doobry-systemli

By the way, I plan to use https://symfony.com/bundles/SchebTwoFactorBundle/ for the Two-factor implementation.

doobry-systemli avatar Jul 12 '22 11:07 doobry-systemli

I agree, thanks for explaining the reasoning.

t2d avatar Jul 13 '22 10:07 t2d