2FA Suggestions

[Lukeroge]

Since there was a post from a staff member earlier about 2F authentication features, I have some suggestions for systems to implement:

• Google Authenticator: It's used by so many people, it's pretty much a standard for mobile app auth.
• FIDO U2F: A new protocol, it's supported in web browsers and makes use of cheap hardware tokens like this one. It's very secure and safe from phishing attacks because of it's design, and it's a standardized system. Sites like google and dropbox have started adding support. Super easy to use.

[Lindy]

Google Auth is possible, though I've actually seen it lose traction. Every service I use - banking, PayPal, etc. utilizes SMS and that's at least the initial direction we intend on taking with IPS4. Again, we're not ruling out Google auth - I use it myself, but I have less and less uses for it as services go (back) to something most of us have anyway... SMS. 

 

[Lukeroge]

Google Auth is possible, though I've actually seen it lose traction. Every service I use - banking, PayPal, etc. utilizes SMS and that's at least the initial direction we intend on taking with IPS4. Again, we're not ruling out Google auth - I use it myself, but I have less and less uses for it as services go (back) to something most of us have anyway... SMS. 

Well, SMS means relying on a third party provider, which in this case would probably be something hosted by you, like IPS anti-spam? Google Authenticator is a protocol that can be implemented on any number of client code generator apps.

What about the U2F system? It's gaining support pretty fast now, it's fairly easy to implement (they have a PHP class pre-made for using it), involves no third party services and the tokens can be grabbed on amazon for a few dollars now. It's also getting wireless/nfc support for mobile in a upcoming revision. It might be good as a secondary option in addition to a SMS/code generator solution.

[Lindy]

Yes, the idea is it would be an IPS service. 

U2F is something we can look at as well as it continues to gain traction.

 

[Lukeroge]

Yes, the idea is it would be an IPS service. 

U2F is something we can look at as well as it continues to gain traction.

Awesome. It will be interesting to see how the 2FA area evolves overall!

[Misi]

Google Auth is possible, though I've actually seen it lose traction. Every service I use - banking, PayPal, etc. utilizes SMS and that's at least the initial direction we intend on taking with IPS4. Again, we're not ruling out Google auth - I use it myself, but I have less and less uses for it as services go (back) to something most of us have anyway... SMS. 

 

How much would it cost to use this service provided by IPS?

Would it be provided free of charge? (I don't believe so)

 

[Lindy]

Details aren't ironed out yet, however, we do intend on including a certain amount of SMS notifications with active licenses. 

[Lukeroge]

Details aren't ironed out yet, however, we do intend on including a certain amount of SMS notifications with active licenses. 

Always nice to get new hosted license services!

[JiigSaaw]

I'm just working on an IPS 4 Plugin to support 2-FA Authentication with Google (Board and ACP).

And i've already heard of FIDO U2F technology, and you convinced me, i've just bought an Yubico U2F key to make test and why not a plugin

[freakyshiat]

Thank you for adding/considering 2FA. SMS will work fine for now, its better than nothing.

[JiigSaaw]

Finished at 50%

And UPS is on the road to deliver my FIDO U2D key

[Joel R]

Eh.  The fact that you're tying security authentication to an active license is rather disconcerting to me.  

What if your license expires or you choose to voluntarily not renew? You're locked out of the ACP because you no longer have access to the SMS service? What if you use up all of your SMS messages for the month, you have to pay more?

2 Factor Authentication can easily become 2 Factor Blackmail.  

 

[Lindy]

An active license won't be required for SMS - I said we would include a certain number of credits for active license holders. 

I do like the concept of you having to PayPal me to access your ACP though - I'll send you my PayPal address so you can pre-register!

On a serious note - I would anticipate something like Google Auth as well. In reality, SMS is easier for the average user and doesn't require a separate app or device. Further, we have bigger plans for it than just 2FA. 

 

[Lukeroge]

Finished at 50%

And UPS is on the road to deliver my FIDO U2D key

I would somehow make a sub-ui for 2FA. Using top-level tabs might be a bit much if there are multiple methods. I'd have one main 2FA tab, and use smaller sub-tabs for each method, using normal ipstabs!

Also, when you add U2F, be sure to allow adding multiple keys, because you always need a backup if you lose it!

[JiigSaaw]

I do like the concept of you having to PayPal me to access your ACP though - I'll send you my PayPal address so you can pre-register!

Interesting 

 

I would somehow make a sub-ui for 2FA. Using top-level tabs might be a bit much if there are multiple methods. I'd have one main 2FA tab, and use smaller sub-tabs for each method, using normal ipstabs!
Also, when you add U2F, be sure to allow adding multiple keys, because you always need a backup if you lose it!

The "problem" is if i make sub-ui for 2FA, other developers needs to implement their methods in, and you need to install my plugin. It's a bit complicated. But i will test in the future how i can do it better. Multiple keys for 2FA? Hum, it's a security breach to allow this in my mind, with the QR-Code you can add the system to many devices you want. If you have lost your device for exemple, it think to implement email recovery to disable the system or show a "unique" recovery key. (In last, the user can contact board administrator)

[Lukeroge]

Interesting 

 

The "problem" is if i make sub-ui for 2FA, other developers needs to implement their methods in, and you need to install my plugin. It's a bit complicated. But i will test in the future how i can do it better. Multiple keys for 2FA? Hum, it's a security breach to allow this in my mind, with the QR-Code you can add the system to many devices you want. If you have lost your device for exemple, it think to implement email recovery to disable the system or show a "unique" recovery key. (In last, the user can contact board administrator)

Oh, sub-ui was just a suggestion to not have too many tabs on the user interface for different 2FA systems. I was not talking about any kind of API. Have one tab on the profile interface for all the 2FA systems. If there were separate tabs, combined with the social network tabs there will be too many. 

And the multiple keys is for the U2F USB keys, it means you can add a second U2F USB thing in case you lose your main one. 

[JiigSaaw]

No problem, i will considere your suggestion if i implement multi 2FA systems in one plugin.

On first hand, i will release only a Google Authenticator plugin, after why not create a centralized plugin with all 2FA systems and release each systems seperatly if someone one just want one implementation. I will think about that.

Okay for the U2F USB keys, i don't know how the system work at the moment, i'm waiting my key to be delivered to start working on it !

[Mastric]

On 8/15/2015, 10:46:25, JiigSaaw said:

No problem, i will considere your suggestion if i implement multi 2FA systems in one plugin.

On first hand, i will release only a Google Authenticator plugin, after why not create a centralized plugin with all 2FA systems and release each systems seperatly if someone one just want one implementation. I will think about that.

Okay for the U2F USB keys, i don't know how the system work at the moment, i'm waiting my key to be delivered to start working on it !

Would love either Google2F or U2F