Opened 6 years ago

Last modified 6 years ago

#1055 closed task

Implement extension for logging in with OTP — at Version 5

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: OTP login v1.0
Component: net.sf.basedb.otp Keywords:
Cc:

Description (last modified by Nicklas Nordborg)

Inspired by https://freeotp.github.io/ which is a standard way of generating one-time password codes. The codes would make it harder for an attacker to access an account if the regular password is lost. The login form need to have three fields (currently not supported by BASE).

The extension need a way to store the secret key in the BASE database. This can already be done using the "extended properties" mechanism. The drawback is that this information is displayed in the web interface which is not so good. We either need to store the secret key in some other place or we need to implement support for "hidden extended properties" in BASE.

Initial setup is maybe the most challenging issue. The user should be able to enable OTP and generate a secret key in some way. The level of enforcement should be configurable by the server admin. We need at least:

  • Be able to specify applications that should never use OTP at all (for example, it is not possible with the FTP server extension).
  • Be able to specify applications that are required to use OTP (inluding the web client).
  • To enable new users to setup OTP in the case the web client is locked down the extension should implement a special "Create OTP" page where the user can set this. It's is kind of a separate login page that can only be used once.
  • The server admin should be able to reset (=remove) the stored secret key. If this is initiated by a request from the user it is important that the identity is verified, since otherwise a hacker that happens to get hold of the password could ask for a reset and then generate a new OTP locking the real user out.

Links:

Change History (5)

comment:1 by Nicklas Nordborg, 6 years ago

Component: not classifiednet.sf.basedb.otp
Milestone: OTP login v1.0
Owner: changed from Jari Häkkinen to Nicklas Nordborg

comment:2 by Nicklas Nordborg, 6 years ago

(In [4845]) References #1055: Implement extension for logging in with OTP

Adding Eclipse project files and some additional source code folders.

comment:3 by Nicklas Nordborg, 6 years ago

(In [4846]) References #1055: Implement extension for logging in with OTP

Adding some code, the build file and some other requried files (META-INF folder) to make compilation and packaging work.

comment:4 by Nicklas Nordborg, 6 years ago

(In [4847]) References #1055: Implement extension for logging in with OTP

Proof-of-concent code. Basic structure is inspiered by the YubiKey extension. The password field has been replaced with an OTP field. The secret key is currently hard-coded and all user can log in with the same OTP generator.

comment:5 by Nicklas Nordborg, 6 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.