Opened 6 years ago

Last modified 6 years ago

#1055 closed task

Implement extension for logging in with OTP — at Initial Version

Reported by: Nicklas Nordborg Owned by: Jari Häkkinen
Priority: major Milestone: OTP login v1.0
Component: net.sf.basedb.otp Keywords:
Cc:

Description

Inspired by https://freeotp.github.io/ which is a standard way of generating one-time password codes. The codes would make it harder for an attacker to access an account if the regular password is lost. The login form need to have three fields (currently not supported by BASE).

The extension need a way to store the secret key in the BASE database. This can already be done using the "extended properties" mechanism. The drawback is that this information is displayed in the web interface which is not so good. We either need to store the secret key in some other place or we need to implement support for "hidden extended properties" in BASE.

Initial setup is maybe the most challenging issue. The user should be able to enable OTP and generate a secret key in some way. The level of enforcement should be configurable by the server admin. We need at least:

  • Be able to specify applications that should never use OTP at all (for example, it is not possible with the FTP server extension).
  • Be able to specify applications that are required to use OTP (inluding the web client).
  • To enable new users to setup OTP in the case the web client is locked down the extension should implement a special "Create OTP" page where the user can set this. It's is kind of a separate login page that can only be used once.
  • The server admin should be able to reset (=remove) the stored secret key. If this is initiated by a request from the user it is important that the identity is verified, since otherwise a hacker that happens to get hold of the password could ask for a reset and then generate a new OTP locking the real user out.

Change History (0)

Note: See TracTickets for help on using tickets.