Opened 5 weeks ago

Last modified 4 weeks ago

#1055 new task

Implement extension for logging in with OTP

Reported by: nicklas Owned by: nicklas
Priority: major Milestone: OTP login v1.0
Component: net.sf.basedb.otp Keywords:
Cc:

Description (last modified by nicklas)

Inspired by https://freeotp.github.io/ which is a standard way of generating one-time password codes. The codes would make it harder for an attacker to access an account if the regular password is lost. The login form need to have three fields (currently not supported by BASE).

The extension need a way to store the secret key in the BASE database. This can already be done using the "extended properties" mechanism. The drawback is that this information is displayed in the web interface which is not so good. We either need to store the secret key in some other place or we need to implement support for "hidden extended properties" in BASE.

Initial setup is maybe the most challenging issue. The user should be able to enable OTP and generate a secret key in some way. The level of enforcement should be configurable by the server admin. We need at least:

  • Be able to specify applications that should never use OTP at all (for example, it is not possible with the FTP server extension).
  • Be able to specify applications that are required to use OTP (inluding the web client).
  • To enable new users to setup OTP in the case the web client is locked down the extension should implement a special "Create OTP" page where the user can set this. It's is kind of a separate login page that can only be used once.
  • The server admin should be able to reset (=remove) the stored secret key. If this is initiated by a request from the user it is important that the identity is verified, since otherwise a hacker that happens to get hold of the password could ask for a reset and then generate a new OTP locking the real user out.

Links:

Change History (19)

comment:1 Changed 5 weeks ago by nicklas

  • Component changed from not classified to net.sf.basedb.otp
  • Milestone set to OTP login v1.0
  • Owner changed from jari to nicklas

comment:2 Changed 5 weeks ago by nicklas

(In [4845]) References #1055: Implement extension for logging in with OTP

Adding Eclipse project files and some additional source code folders.

comment:3 Changed 5 weeks ago by nicklas

(In [4846]) References #1055: Implement extension for logging in with OTP

Adding some code, the build file and some other requried files (META-INF folder) to make compilation and packaging work.

comment:4 Changed 5 weeks ago by nicklas

(In [4847]) References #1055: Implement extension for logging in with OTP

Proof-of-concent code. Basic structure is inspiered by the YubiKey? extension. The password field has been replaced with an OTP field. The secret key is currently hard-coded and all user can log in with the same OTP generator.

comment:5 Changed 5 weeks ago by nicklas

  • Description modified (diff)

comment:6 Changed 5 weeks ago by nicklas

(In [4848]) References #1055: Implement extension for logging in with OTP

Added configuration file to make it possible to disable or force OTP for specific client applications.

Removed the hard-coded secret key and changed the implementation to use an extended property instead. This has only been added manually so far. It is not the best solution since the extended properties are visible and searchable in the gui and may cause the secrets to be revealed. We should either stored them outside of BASE or wait for BASE to implement "hidden" extended properties.

comment:7 Changed 5 weeks ago by nicklas

(In [4849]) References #1055: Implement extension for logging in with OTP

Started to work on functionality for setting up OTP for an account. The login page should now contain links to a popup dialog.

The dialog asks for the user to enter the username and password. This should trigger the server to generate a new OTP secret key and display it for the user as a QR code (not implemented). The user should then scan the code with the phone and let it generate a password code. The password code should be entered in the dialog and saved to complete the setup (not implemented).

comment:8 Changed 5 weeks ago by nicklas

(In [4850]) References #1055: Implement extension for logging in with OTP

Implemented QR code generation in the OTP configuration dialog. The user must first enter the username before the QR code can be generated (since implementations typically requires a name identifying the QR code).

A servlet is used for creating OTP secret key and the generating the QR code. We create 2 keys to get a 160-bit key instead of the default 80-bit. The QR code is generated with a library from: https://www.nayuki.io/page/qr-code-generator-library

We output it as a png image and encode it with Base64 to be able to transfer it with JSON to the browser which can then display it with <img src="data:image/png;base64,...">

Basic error handling has been implemented but can probably be improved. It is still not possible to save the secret key.

comment:9 Changed 5 weeks ago by nicklas

(In [4851]) References #1055: Implement extension for logging in with OTP

Saving the generated secret key has now been implemented. It will perform checks that the user login and password are correct and that a valid OTP is given. It is not allowed to overwrite an existing secret key.

There are some weak points remaining:

  • The secret key for generating the QR code is temporarily stored in a global variable which means that if two users start the OTP setup in the same time it will be messed up.
  • Secret keys are stored in the database as "extended properties". This is not good since they are visible in plain text in the browser.

comment:10 Changed 5 weeks ago by nicklas

(In [4852]) References #1055: Implement extension for logging in with OTP

The auto-generated secret keys are now stored temporarily in a WeakHashMap with the SessionControl as the key. This should get rid of the problem with multiple users setting up OTP at the same time.

comment:11 Changed 5 weeks ago by nicklas

(In [4853]) References #1055: Implement extension for logging in with OTP

The OTP secret keys are now encrypted before the are stored in the database. Unfortunately we can't use a simple hashing method since we need to decrypt back to the original keys.

Instead we use a master password from the base-otp.properties file and the internal ID of the user account to create an encryption key for AES-128. This makes sure that each OTP key is encrypted with a unique key. The inclusion of the internal ID makes sure that it is not possible to copy an existing encrypted key to another user account.

Note that once the master password has been used once it is not possible to change it without having to reset all existing keys and force users to redo their OTP setup.

comment:12 Changed 5 weeks ago by nicklas

(In [4854]) References #1055: Implement extension for logging in with OTP

If the OTP setup wizard is started from the login page and a username is already entered, the OTP setup is pre-filled with the same username.

comment:13 Changed 4 weeks ago by nicklas

(In [4855]) References #1055: Implement extension for logging in with OTP

The numer of iterations used in the key generation step is now saved as part of the encrypted string. This should be safer in case we need to change some parameters in the future.

comment:14 Changed 4 weeks ago by nicklas

(In [4856]) References #1055: Implement extension for logging in with OTP

Added a cache that keeps track of used OTP codes to prevent the same code from being used more than once.

comment:15 Changed 4 weeks ago by nicklas

(In [4857]) References #1055: Implement extension for logging in with OTP

Added support for setting a new password at the same time as setting up OTP.

comment:16 Changed 4 weeks ago by nicklas

(In [4858]) References #1055: Implement extension for logging in with OTP

Added support for a flag that can be set on user accounts to require them to use OTP when logging in. This makes it possible to configure OTP to be optional for the web client but require it for some users.

comment:17 Changed 4 weeks ago by nicklas

(In [4859]) References #1055: Implement extension for logging in with OTP

Include the otp-extended-properties.xml file in the distribution.

comment:18 Changed 4 weeks ago by nicklas

(In [4863]) References #1055: Implement extension for logging in with OTP

Some minor changes:

  • Added image to the help text on the login page.
  • If OTP is required the input is limited to numbers only and autocomplete is turned off
  • Changed icon on the "Close" button after OTP setup.

comment:19 Changed 4 weeks ago by nicklas

(In [4864]) References #1055: Implement extension for logging in with OTP

Fixed incorrect comment.

Note: See TracTickets for help on using tickets.