Implement extension for logging in with OTP
|Reported by:||Nicklas Nordborg||Owned by:||Nicklas Nordborg|
|Priority:||major||Milestone:||OTP login v1.0|
Description (last modified by )
Inspired by https://freeotp.github.io/ which is a standard way of generating one-time password codes. The codes would make it harder for an attacker to access an account if the regular password is lost. The login form need to have three fields (currently not supported by BASE).
The extension need a way to store the secret key in the BASE database. This can already be done using the "extended properties" mechanism. The drawback is that this information is displayed in the web interface which is not so good. We either need to store the secret key in some other place or we need to implement support for "hidden extended properties" in BASE.
Initial setup is maybe the most challenging issue. The user should be able to enable OTP and generate a secret key in some way. The level of enforcement should be configurable by the server admin. We need at least:
- Be able to specify applications that should never use OTP at all (for example, it is not possible with the FTP server extension).
- Be able to specify applications that are required to use OTP (inluding the web client).
- To enable new users to setup OTP in the case the web client is locked down the extension should implement a special "Create OTP" page where the user can set this. It's is kind of a separate login page that can only be used once.
- The server admin should be able to reset (=remove) the stored secret key. If this is initiated by a request from the user it is important that the identity is verified, since otherwise a hacker that happens to get hold of the password could ask for a reset and then generate a new OTP locking the real user out.
- The TOTP specification allows for different hashing algorithms (SHA1, SHA256 and SHA512). It seems like many implementations only support SHA1. Is there any downside to this and should we spend time to support more than SHA1? I think not... https://www.quora.com/Why-is-the-SHA1-algorithm-still-being-used-with-2FA-codes-instead-of-SHA2
Change History (29)
comment:1 by , 5 years ago
|Component:||not classified → net.sf.basedb.otp|
|Milestone:||→ OTP login v1.0|