Google Authenticator

[AP05E29N-A]

it would be great if ownCloud implemented, maybe through a plugin, support for the Google Authenticator.

https://github.com/PHPGangsta/GoogleAuthenticator
https://code.google.com/p/google-authenticator/

[LukasReschke]

I'm already working on this.

[steveathon]

That's fantastic.

I'm just finishing an implementation of abstract two factor, Including google authenticator, with crowd, so happy to help if needed.

On 01/11/2012, at 8:04 PM, Lukas Reschke [email protected] wrote:

I'm already working on this.
—
Reply to this email directly or view it on GitHub.

[DeepDiver1975]

@LukasReschke Cool - thanks a lot for your effort!
Can you please do me the favor and write down what you plan to implement?
I'd like to see some discussions on new enhancements before diving into implementation.

According to the development process we are trying to setup now this ticket is in the phase '2 - Concept':
http://owncloud.org/dev/kanban-board/

Let's try and see if we can make this work - Thanks a lot!

[LukasReschke]

Did I miss anything cool? :-)

Features

• Implemented as an application
  • Admins can just enable the app if they need it
• Implements RFC 4226
  • Existing applications like Google Authenticator can be used
• Allows creating of generators (e.g. Google Authenticator on your Nexus)
  • Of course with a QR code to scan (but also the key in plain in case you don't have a cam)
  • Every generator gets an own secret key
    • You can remove a generator in case you lost it / don't trust it anymore
    • You can have multiple generators without a security issue.
      • If you use the same key, an attacker could steal it with just looking at your screen.
      • User have to verify the generator before it's accepted
• Allows creating of application specific passwords
  • You can login using DAV clients or our mobile apps.
  • You can delete them.
  • You see when they were last used.
• "Trusted devices"
  • You can trust a device so you don't have to enter a token every time you login
  • You can revoke it
• Admins are able to disable it for users
  • In case a user lost his password or his device
• Recovery keys
  • Gives the user the possibility to print recovery keys, they acts like a TAN
  • Users are able to regenerate it in case they lost them

[danimo]

Also, yubikey support (http://www.yubico.com/yubikey) would be possible if we had a two-factor framework.

[DeepDiver1975]

Looks like we have multiple backends?
Can we have a unified UI?
How will UI look like? @jancborchardt :-)
THX

[jancborchardt]

@LukasReschke what does the interface look like at the moment? Would be cool if you have a screenshot or something, of both what users and admins would see.

[rubenvb]

What is the ETA for this? Is this planned for Owncloud 5.0? Cause it sounds finished when I read these comments ;-)

[Inow-zz]

When are we going to see this feature? Any rough idea please?

[DeepDiver1975]

When are we going to see this feature? Any rough idea please?

afaik - no.
Feel free to contribute to ownCloud by implement this feature.

[jancborchardt]

What’s the state of this @LukasReschke? Please comment.

[beniroquai]

Yeah! This Feature would be awesome!

[cyb0x]

A similar request can be found here #4720

But there is already an app in the store, so they both could be closed I guess: http://apps.owncloud.com/content/show.php/One+Time+Password+Backend?content=159196

[djtm]

No, actually the app does not provide application specific passwords, it only provides OTR one time key functionality.

Actually I think the application specific passwords could and should be done properly here: resource specific passwords. You should be able to select which resources a password may access. Ideally, if the password tries to access another resources, the password should be disabled and a warning displayed.

e.g. a password for the
web interface:

• calendar
• addressbook
• news

a password for:

• webdav
• webinterface

[MorrisJobke]

#12102