Tags:
create new tag
, view all tags

Feature Proposals » Log-in with Two-step Authentication

Summary

Current State: Developer: Reason: Date: Concerns By: Bug Tracking: Proposed For:
MergedToCore PeterThoeny AcceptedByReleaseMeeting 2014-08-06   TWikibug:Item7538 (core code), TWikibug:Item7539 (e-mail auth), TWikibug:Item7540 (SMS auth) KampalaRelease

Edit Form

TopicSummary:
CurrentState:
CommittedDeveloper:
ReasonForDecision:
DateOfCommitment:   Format: YYYY-MM-DD
ConcernRaisedBy:
BugTracking:
OutstandingIssues:
RelatedTopics:
InterestedParties:
ProposedFor:
TWikiContributors:
 

Motivation

In a secure environment a two-step authentication may be required, Wikipedia:Two_step_authentication

This proposal adds the infrastructure for two-step authentication

Description and Documentation

The template log-in is enhanced to support two-step authentication.

A new configure setting defines a second step authentication. Example:

$TWiki::cfg{TwoStepAuthManager} = 'TWiki::LoginManager::EmailTwoStepAuth';

If set to anything other than empty or 'none', the two-step authentication manager will be loaded by the template login. If set, these steps will be executed:

  1. The template login shows the usual login screen for username and password.
  2. On successful login, a second login screen is shown for a second challenge by the two-step authentication manager, technically done by calling the method secondStepAuth( $loginName, $origurl ).
    • This method returns the template text of the second login screen.
    • The second challenge can be omitted, such as if the user is in an internally secured environment. Technically done by returning an empty string for the second login screen.
  3. The two-step authentication manager sends an e-mail, SMS or other way to challenge the user with a secondary login, such as a one-time-use access code.
  4. The user enters the second challenge, such as a one-time-use access code, and submits the form.
  5. The template login verifies that the second challenge is correct, technically done by calling the method verifyAuth( $loginName, $accessCode ). That method returns an error string:
    • If error is an empty string, second challenge is OK, and login succeeds
    • Else, show error string in login banner

There are three tracking items:

Installation

See installation instructions of EmailTwoStepAuthContrib if you want to use this in TWiki-6.0.0 or earlier versions.

Impact

Implementation

-- Contributors: Peter Thoeny - 2014-08-07

Discussion

Accepted by release meeting at KampalaReleaseMeeting2014x08x07

-- Peter Thoeny - 2014-08-07

The initial extension for two-step authentication is is now done. See installation instructions of TWiki:Plugins.EmailTwoStepAuthContrib if you want to use this in TWiki-6.0.0 or earlier versions.

The implementation of TWiki:Plugins.SmsTwoStepAuthContrib for SMS authentication is pending.

-- Peter Thoeny - 2014-08-26

The first version of TWiki:Plugins.SmsTwoStepAuthContrib for SMS authentication was done on 2014-09-10. Today I added per-user selectable single-step or two-step auth mode.

-- Peter Thoeny - 2014-09-22

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2014-09-22 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.