Opened 6 years ago
Closed 6 years ago
#1055 closed task (fixed)
Implement extension for logging in with OTP
| Reported by: | Nicklas Nordborg | Owned by: | Nicklas Nordborg |
|---|---|---|---|
| Priority: | major | Milestone: | OTP login v1.0 |
| Component: | net.sf.basedb.otp | Keywords: | |
| Cc: |
Description (last modified by )
Inspired by https://freeotp.github.io/ which is a standard way of generating one-time password codes. The codes would make it harder for an attacker to access an account if the regular password is lost. The login form need to have three fields (currently not supported by BASE).
The extension need a way to store the secret key in the BASE database. This can already be done using the "extended properties" mechanism. The drawback is that this information is displayed in the web interface which is not so good. We either need to store the secret key in some other place or we need to implement support for "hidden extended properties" in BASE.
Initial setup is maybe the most challenging issue. The user should be able to enable OTP and generate a secret key in some way. The level of enforcement should be configurable by the server admin. We need at least:
- Be able to specify applications that should never use OTP at all (for example, it is not possible with the FTP server extension).
- Be able to specify applications that are required to use OTP (inluding the web client).
- To enable new users to setup OTP in the case the web client is locked down the extension should implement a special "Create OTP" page where the user can set this. It's is kind of a separate login page that can only be used once.
- The server admin should be able to reset (=remove) the stored secret key. If this is initiated by a request from the user it is important that the identity is verified, since otherwise a hacker that happens to get hold of the password could ask for a reset and then generate a new OTP locking the real user out.
Links:
- The TOTP specification allows for different hashing algorithms (SHA1, SHA256 and SHA512). It seems like many implementations only support SHA1. Is there any downside to this and should we spend time to support more than SHA1? I think not... https://www.quora.com/Why-is-the-SHA1-algorithm-still-being-used-with-2FA-codes-instead-of-SHA2
Change History (29)
comment:1 by , 6 years ago
| Component: | not classified → net.sf.basedb.otp |
|---|---|
| Milestone: | → OTP login v1.0 |
| Owner: | changed from to |
comment:2 by , 6 years ago
comment:3 by , 6 years ago
comment:4 by , 6 years ago
comment:5 by , 6 years ago
| Description: | modified (diff) |
|---|
comment:6 by , 6 years ago
(In [4848]) References #1055: Implement extension for logging in with OTP
Added configuration file to make it possible to disable or force OTP for specific client applications.
Removed the hard-coded secret key and changed the implementation to use an extended property instead. This has only been added manually so far. It is not the best solution since the extended properties are visible and searchable in the gui and may cause the secrets to be revealed. We should either stored them outside of BASE or wait for BASE to implement "hidden" extended properties.
comment:7 by , 6 years ago
(In [4849]) References #1055: Implement extension for logging in with OTP
Started to work on functionality for setting up OTP for an account. The login page should now contain links to a popup dialog.
The dialog asks for the user to enter the username and password. This should trigger the server to generate a new OTP secret key and display it for the user as a QR code (not implemented). The user should then scan the code with the phone and let it generate a password code. The password code should be entered in the dialog and saved to complete the setup (not implemented).
comment:8 by , 6 years ago
(In [4850]) References #1055: Implement extension for logging in with OTP
Implemented QR code generation in the OTP configuration dialog. The user must first enter the username before the QR code can be generated (since implementations typically requires a name identifying the QR code).
A servlet is used for creating OTP secret key and the generating the QR code. We create 2 keys to get a 160-bit key instead of the default 80-bit. The QR code is generated with a library from: https://www.nayuki.io/page/qr-code-generator-library
We output it as a png image and encode it with Base64 to be able to transfer it with JSON to the browser which can then display it with <img src="data:image/png;base64,...">
Basic error handling has been implemented but can probably be improved. It is still not possible to save the secret key.
comment:9 by , 6 years ago
(In [4851]) References #1055: Implement extension for logging in with OTP
Saving the generated secret key has now been implemented. It will perform checks that the user login and password are correct and that a valid OTP is given. It is not allowed to overwrite an existing secret key.
There are some weak points remaining:
- The secret key for generating the QR code is temporarily stored in a global variable which means that if two users start the OTP setup in the same time it will be messed up.
- Secret keys are stored in the database as "extended properties". This is not good since they are visible in plain text in the browser.
comment:10 by , 6 years ago
comment:11 by , 6 years ago
(In [4853]) References #1055: Implement extension for logging in with OTP
The OTP secret keys are now encrypted before the are stored in the database. Unfortunately we can't use a simple hashing method since we need to decrypt back to the original keys.
Instead we use a master password from the base-otp.properties file and the internal ID of the user account to create an encryption key for AES-128. This makes sure that each OTP key is encrypted with a unique key. The inclusion of the internal ID makes sure that it is not possible to copy an existing encrypted key to another user account.
Note that once the master password has been used once it is not possible to change it without having to reset all existing keys and force users to redo their OTP setup.
comment:12 by , 6 years ago
comment:13 by , 6 years ago
comment:14 by , 6 years ago
comment:15 by , 6 years ago
comment:16 by , 6 years ago
comment:17 by , 6 years ago
comment:18 by , 6 years ago
comment:19 by , 6 years ago
comment:20 by , 6 years ago
comment:21 by , 6 years ago
comment:22 by , 6 years ago
comment:23 by , 6 years ago
comment:24 by , 6 years ago
comment:25 by , 6 years ago
(In [4922]) References #1055: Implement extension for logging in with OTP
Made the otpSecretKey extended property a hidden property so that it doesn't show up in lists or other pages in the web interface.
Added "OTP" tab in the "Edit user" dialog with the possibility to remove an existing secret key. The "Require OTP" option has also been moved to this tab and disabled in the tab with other extended properties.
comment:26 by , 6 years ago
comment:27 by , 6 years ago
comment:28 by , 6 years ago
comment:29 by , 6 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
(In [4845]) References #1055: Implement extension for logging in with OTP
Adding Eclipse project files and some additional source code folders.