Authenticator support

  • @UncleSam


    Well, you're talking about a multi-steps authentication process where there is an intermediate page (or dialog) that is dynamically loaded, depending on the username and the 2FA implementation that is currently effective for that username (user). For instance: username == xxxx ---> SQL query (2FA enabled for xxxx?) < - yes/no -> Yes ? --> which 2FA implementation for xxxx ? <- Yubikey OTP -> load Yubikey OTP intermediate form, then, ask the user to fill the field for YubiKey OTP authentication and finally, on form submission, process the authentication. That is what you want meant?


    This could be done this way of course. I'll review this in a later YubiKeyAuth plugin version, and when the google 2fa auth plugin will be ready.


    BTW:


    By doing this way, some crazy people could even add many 2FA implementations in the authentication process ---> step1 credentials, step2 Yubikey OTP, step3 Google Authenticator .... Our authentication class is based on events where an authentication handler is an event listener that listen on the onAuthenticate event.


    There can be many authentication handlers listening on the onAuthenticate event, and each of them can short-circuit the event at any time, meaning that any other handler would be discarded, or which can lets other handlers do their job. In that later case, there are many steps required in the authentication process, each listener implementing it own authentication logic. Here, the authentication process would succeed only if all handlers would return a success authentication result. This is already what I do with the YubiKeyAuth plugin which provides its own handler (listener tha listen on the onAuthenticate event that is triggered by i-MSCP). However, depending on the administrator setup, that handler, which is registered with high priority, lets the default credential authentication handler do its job or not (think of single-factor auth using Yubikey only).

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @UncleSam I've updated my previous answer. See the BTW part ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • while talking about 2FA, U2F would be great, while browser support is still limited (Chrome and opera natively, Firefox with addon) it's not only used on most yubikeys but also there are pretty cheap sticks which can go as low as 5€


    also U2F doesnt rely on an external service making it even better.



    Well, you're talking about a multi-steps authentication process

    well aside from going into overkill with 2FA, a multi-step process auth means not confusing users who dont know about the 2fa stuff.

    asperger inside(tm)

    Edited once, last by My1 ().

  • well aside from going into overkill with 2FA, a multi-step process auth means not confusing users who dont know about the 2fa stuff.

    What is your problem exactly with my answer? I would just remind you that here, we are in the development section of our forums ;) We are not here to teach the users ;) They can always google if they don't understand a term.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • there is no problem. I just think that from a user perspective that multi-step is a good Idea, because the users dont have to care.

    asperger inside(tm)

  • @My1


    Well, generally speaking, a user that use a YubiKey or any similar hardware will be able to make distinction between 2FA, FIDO U2F and so on... People that are not familiar with those terms will generally read the service FAQ of the plateform on which they want to login, or simply make a search on google. A user that see a field with a label such as YubiKey OTP, should be curious enough and search for it meaning. For instance, there is a big difference between OTP and FIDO U2F protocols. We can not just say: Multi-steps authentication process which can means all and anything.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • while there are probably also people out there clever enough to search, there are people who may be too lazy to search or watever (I've seen a lot of stuff in the web) and then contacting support that they cant login coz they have no Idea what to enter, well with the target of imscp being web admins the probability of that is lower than on average but it's probably still there.


    just my opinion.

    asperger inside(tm)

  • there are people who may be too lazy to search or watever (I've seen a lot of stuff in the web) and then contacting support that they cant login coz they have no Idea what to enter

    Always the same problem... Lazy people... Frankly, I don't care about them. Those people are just idiot. Any people should be at least able to read a FAQ. But right, you're deviating subject here... It would be good if you could avoid to polute threads each time you're writting ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • well people dont like to care about those but as soon as they run into support it would be annoying also there arent just lazy but also users that frankly arent that clever, and sometimes you get a mixture of both.
    and as you said in the early post a multi-step process will be very helpful (if not the absolute requirement) of offering multiple different 2FA solutions (especially U2F needs to know which account you want to connect to, so it can deliver the challenges)

    asperger inside(tm)