-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Two-Factor Auth - Implementation details #12102
Comments
So this means external apps do not need to send the user's password any more ? 😄 |
Yes. - And if we implement this properly (aka: "plug OAuth above it") we can even limit the access scope of external applications 🎉 |
@LukasReschke Sounds good in general. I suggest to discuss this in a call the next few days. |
Sure. Feel free to make an invite. |
my two cents: |
Cool. Let´s implement this! 👍 |
Good stuff! How do we handle this form of 2 factor for mobile and desktop? Do we need to consider adding an additional pin/something for the user to take advantage of 2 factor on the client too? |
Application-specific passwords, just like everybody else does it too. That should be sufficient for the first step. I'll ensure to return a proper status code to the client in case two-factor auth is needed so we can show a little popup like "Please generate a token at demo.owncloud.org". Once everything is done we can think about implementing an OAuth like login approach for mobile devices. But I think we should get the basic right first :-) I really don't want to throw too many different things together into this. - Would that work? |
Out of the box, that would work. Second step is, of course, to integrate with existing enterprise 2-factor systems for auth, such as RSA tokens or something like that. We should just make sure we have proper architecture to offload the 2 factor to an external system as well (or integrate with it), whichever makes more sense. |
Sure. That is the goal, the whole system is meant to be pluggable. Throwing in your own self-made connector (SMS / Authy / SmartCard / whatever) should not be a problem with the architecture that I think of. |
Duo Security? They have libraries for php, see https://www.duosecurity.com/docs/duoweb |
👍 |
Would love to see this! |
@MTRichards I need a call regarding priority here |
@LukasReschke this is related to what you discussed in Berlin, right? How does that relate to this? @karlitschek did you ever have the deeper conversation about how this impacts LDAP / AD? @cmonteroluque unless I missed something, this is not ready for 8.2 certainly, and not required for 8.2. |
@MTRichards ok, moved to 9.0 |
Any progress here ? Since we're past feature freeze, would move this to 9.1. |
For ownCloud 8 we are aiming to implement Two-Factor authentication, the following requirements are given:
\OC_User_Backend
, this approach has been tried in the past but is a major hackThis issue is here to track the changes required for the change and also the required features. Any suggestions are welcome.
Todo:
The text was updated successfully, but these errors were encountered: