Opened 4 months ago

Last modified 3 months ago

#15878 assigned Feature/Enhancement Request

Multi-factor auth for id.mayfirst.org

Reported by: Tim Stallmann Owned by: Jamie McClelland
Priority: Medium Component: Tech
Keywords: Cc:
Sensitive: no

Description

Hi y'all!

Just curious if there have been any discussions about enabling multi-factor auth in the id.mayfirst.org OpenID server, particularly via U2F?

Change History (4)

comment:1 Changed 4 months ago by JaimeV

Owner: set to Jamie McClelland
Status: newassigned

Hi, sorry for the slow response Tim. Copying jamie here as well. My understanding is that we have not talked about implementing 2FA for OpenID because we hope to be transitioning to a new infrastructure next year and the OpenID server is likely to be discontinued.

We have been discussing implementing 2FA for our NextCloud instance and we are looking at implementing this solution soon.

https://apps.nextcloud.com/apps/twofactor_totp

comment:2 Changed 4 months ago by Jamie McClelland

As Jaime says, we probably won't be rolling anything out until our new infrastructure is in place - probably Spring 2021. However, in the meantime, I'm always interested in learing more about the options available so I welcome your input.

In our new infrastructure, we're planning to use LDAP for our user account database.

And, for most services that support it (like Nextcloud) we will probably opt for their native LDAP authentication plugin.

That means, we'll be dependent on each web application's options for two factor authentication.

Having said that, I'm also keeping tabs on the variety of single-sign on services out there. If a single sign on service really takes hold, and Nextcloud and other apps support it, it would be more convenient to have one authentication server that all apps use. The problem is that instead of one service or even protocol emerging as the one every supports, I'm instead seeing competing standards pop up all over the place!

If you could say more about U2F and how it might fit in, that would be most welcome.

comment:3 Changed 3 months ago by Tim Stallmann

Thx for the details! I know very little about configuring infrastructure at this level, but whenever I think through internal security for RAD, the fact that someone can login to the Mayfirst control panel with just a username/password (from which it's then possible to spin up new user accounts on the server, etc.) seems like a potential point of weakness. Having the option of enabling some other authentication factor to get into the account admin would be awesome!

comment:4 Changed 3 months ago by Jamie McClelland

Hi Tim, the current control panel does provide you with a decent amount of flexibility in terms of assigning which usernames have access to what features. Typically, only one username has member-wide privileges (ability to create new hosting orders) and only one (usually the same) username has full hosting order privileges on each hosting order.

One step you could take to secure your accounts would be to create a new user account with a strong 25 character random password. Then, assign this username as the only username that has both member and hosting order privileges.

If you login to the control panel with any other user account, you only have the option to set a vacation message, etc.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.