WIP: Initial feature for OTP / authenticator passwords

[flovilmart]

No description provided.

[codecov]

Codecov Report

Merging #5306 into master will increase coverage by 0.01%.
The diff coverage is 90%.

@@            Coverage Diff             @@
##           master    #5306      +/-   ##
==========================================
+ Coverage   93.88%   93.89%   +0.01%     
==========================================
  Files         123      123              
  Lines        8972     9007      +35     
==========================================
+ Hits         8423     8457      +34     
- Misses        549      550       +1

Impacted Files	Coverage Δ
...dapters/Storage/Postgres/PostgresStorageAdapter.js	97.08% <100%> (ø)	⬆️
src/Controllers/DatabaseController.js	94.94% <100%> (ø)	⬆️
src/Adapters/Storage/Mongo/MongoTransform.js	88.18% <80%> (-0.07%)	⬇️
src/Routers/UsersRouter.js	92.69% <90%> (-0.77%)	⬇️
src/Adapters/Auth/httpsRequest.js	95.23% <0%> (-4.77%)	⬇️
src/RestWrite.js	93.06% <0%> (+0.18%)	⬆️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js	92.21% <0%> (+0.72%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3851641...b395f15. Read the comment docs.

[awgeorge]

Implementing #2FA apps how do you store the TOTP secret so it is safe in case of a data leak? The server needs the secret in plain text to compare the token. What's your strategy?

Tokens should be secured at rest, check out 7.5 of the specification: https://www.ietf.org/rfc/rfc4226.txt. If the master key isn't already in the database, this could be used as the encryption key (not sure how often people change this key).

Depending on how you want the 2FA to be used, IE (only at login) you could use composite keys (Section 8), the user's password/pin is used to generate the token, meaning the database effectively only stores a seed.

[flovilmart]

Ok, we could introduce a runtime encryption key for the tokens, different from the master key. Or just use the master key. What do you think?

_{Sent with GitHawk}

[awgeorge]

Probably best to use a different key, as if you somehow gained access to a master key, you also gain the power to query the token. —

…

Sent from my iPhone

On 2 Feb 2019, at 14:49, Florent Vilmart ***@***.***> wrote: Ok, we could introduce a runtime encryption key for the tokens, different from the master key. Or just use the master key. What do you think? Sent with GitHawk — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[flovilmart]

Makes sense, we can add the option. I also will likely add an OTP adapter, so users will be able to transmit the OTP password by email or phone if they want to.

_{Sent with GitHawk}

[awgeorge]

Good idea - I'm looking for an email based solution - (although I want a single auth, email only, passwordless solution)

[flovilmart]

@acinader @dplewis closing this one as I don’t intend to work on it anymore

_{Sent with GitHawk}

[acinader]

@awgeorge any interest in getting this across the finish line? If you can pick up where @flovilmart left off, I can get up to speed so I can review it with you.

[awgeorge]

This is something I’m interested in - I’ll take a look and see what’s left to get this implantation merged. —

…

Sent from my iPhone

On 6 Apr 2019, at 17:28, Arthur Cinader ***@***.***> wrote: @awgeorge any interest in getting this across the finish line? I can review and get up to speed if it is still something you'd like to see in the product? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[brianmwadime]

This is something I’m interested in - I’ll take a look and see what’s left to get this implantation merged. —
Hey @awgeorge, were you able to get this to the finish line?

[awgeorge]

Not at this time, feel free to take it on. Thanks.

[brianmwadime]

Alright @awgeorge. Thanks for the update.

[tehsunnliu]

Hey guys! is it finished yet? If anyone is interested we can do it together.