Posted by greggles on August 15, 2014 at 3:11pm
Last updated by AlexKirienko on Wed, 2015-07-22 12:40
Last updated by AlexKirienko on Wed, 2015-07-22 12:40
There's an issue to deploy TFA on drupal.org:. There will be a lot of questions about how people can generate TOTP codes. Let's write up a book page to help them. Please edit this wiki page to help turn it into a resource (e.g. a book page on d.o or help text inside the module).
There are multiple free and Free options for creating TOTP codes on a smartphone or computer such as:
Phone-based solutions:
- Google Authenticator for iOS or Android
- Authy for iOs and Android
- FreeOTP for Android
- Authenticator Windows phone from Microsoft.
- Duo Mobile for Blackberry, iOS, Android, or Windows Phone
Desktop solutions:
- Browser based html5-google-authenticator meant to be served/used locally
- Firefox browser plugin Gauth.
- OATH Toolkit command line tool (Ubuntu, OS X)
In general, tools connected to a phone are more secure than a tool in your browser. If someone steals your computer they are more likely to get access to username/password and a browser-based solution than they are to steal both computer and phone.
Solutions that don't seem to work:
- Chrome browser plugin SecureAuth
Comments
I couldn't get SecureAuth for Chrome to work
I just tried using SecureAuth but I couldn't get it to work. :-/ It may be my misunderstanding of the addon? But I tried doing a "Manual registration" and entering the key - after hitting the "Register" button, nothing happens! I tried putting a couple different URLs in for automatic registration but nothing good happened.
Okey doke, I moved that one
Okey doke, I moved that one down.
Thanks for testing it out. I don't really like the idea of a browser plugin since most of them require full access to website data and the ability to make outbound network connections - that's a recipe for risk.
knaddison blog | Morris Animal Foundation
Well, any application run as my user on my local computer...
Well, any application run as my user on my local computer can access my browser data (it's just dot files in my home directory) and make outbound network connections. I'm not sure there's a way to mitigate that risk...
Right, that's a risk for the
Right, that's a risk for the browser plugins, or a java based solution or the cli tools that Matt V points out (although the cli tools are open-source, so there's that).
But if you have a local file folder with the html5-guath code inside of it and you point your browser at that to get a code then I'm not aware of a way that the html/javascript running in that browser tab can do anything particularly malicious. Right?
knaddison blog | Morris Animal Foundation
But if you have a local file
Yeah, I think that's right! localStorage for one domain should be safe from Javascript from another domain.
command line options
I'm reluctant to update the wiki page just yet, since I haven't tested these options, but I found a few other possible solutions.
One option is ga-cmd. According to the README, it's "…like Google Authenticator, but on a command line using your Linux box."
The other command line option I've seen referenced is oathtool. I couldn't find a lot of documentation on the specifics, but this blog post on Using OATH Toolkit with Dropbox appears to be the steps you'd need to go through. Again though, I haven't had a chance to test it myself. It sounds like the OATH Toolkit can be used on Windows, but would require something like Cygwin to get going.
Smart Phone Dependency/Requirement
Personally, I'm a fan of Google Authenticator and use it for several services. My comment is more on the requirement to have a smartphone. I know it's taken for granted and I know that smart phone ownership is predominant for individuals in this industry, so I do not want to assume an issue where none exists. Therefore, I think we should probably recommend at least one non-smartphone solution for the situations where a smartphone is not available/allowed (rare as those cases may be).
Yes, I see it as a
Yes, I see it as a requirement as well that we recommend at least one non-smartphone option. Among the ~10 testers of the dev site so far, 2 didn't have a smartphone that was compatible with Google Authenticator.
There are also some work environments (e.g. white-room/pci-compliant zones) where smartphones aren't even allowed.
knaddison blog | Morris Animal Foundation
I'm not sure how the
I'm not sure how the non-smartphone options are meant to work.
I tried the HTML5 one (https://github.com/gbraad/gauth). Ran it locally, got a code generated. But I ran it again to authenticate a different browser, and obviously the key that I gave it from the site has gone, and I don't see how to get d.org to give it to me again.
I've not tried the browser plugin ones yet.
But with both of these, it seems to me there's a problem because they're tied to the particular machine I'm on, say, my laptop. I'm not sure how I'm going to authenticate my desktop machine with this set-up.
And last of all, as pointed out above, it's not adding all that much security at all. Most of all, it's adding hoops for me to jump through.
It's true that if you want to
It's true that if you want to set up your totp generator (e.g. gauth) across devices you will have to get the same seed value installed in all of the browsers and all the computers that you want to use it on. You will probably have to remove the current one and add a new one. But it definitely works, in this screenshot I installed the same seed into Firefox and then Chrome but didn't install it in Safari.
I encourage you to do research about solutions and share the results of your experience.
I don't see "above" where anyone has said that this doesn't add much security. I encourage you to read more about how it works because I'm rather confident that it does add security. In August of 2014 we ran a paid bug bounty with up to $500 per exploit where people had the username and password for an account and were invited to break in. Several talented people attempted it and none were successful. Both the concept and this specific implementation of it are definitely much stronger in terms of security.
That bounty is effectively still open via https://bugcrowd.com/card - if you are certain that it's not adding much security then please provide details of how to bypass it via that program and you can earn yourself some cool cash.
knaddison blog | Morris Animal Foundation
I don't see "above" where
Sorry, I misread and misinterpreted and reworded badly. What I was referring to was your own comment in the post:
I'm not convinced this adds much security in the sort of situation I'm in. My current d.org password is, I believe, a fairly strong one (a 'correct horse battery staple'-type one with about 6 or 7 words). But I'm logged in all the time on my laptop, so if someone gets hold of my laptop, bang! that's screwed already.
Granted, if my laptop is stolen, TFA means that the laptop can be specifically blocked from logging, but practically, if my laptop gets stolen, either I'm away from home and I won't have any means of logging in to d.org to do that, or I'm at home and my main computer's been stolen too. So by the time I can get myself online to maybe contact a d.org admin to let them know to deactivate that device, a hacker could have wreaked all sorts of havoc... And also, I'm afraid that if my laptop gets stolen, I'll have other things on my mind than security my d.org account, sorry.
I have a smartphone but it's
I have a smartphone but it's too old to run any of the listed options.
I didn't realize that Duo has
I didn't realize that Duo has a solution for blackberry, ios, android and windows phones. That feels like a pretty solid choice to recommend.
Can/should we start incorporating these into the module itself? Perhaps as an editable help blurb that shows up on the page where you actually configure your device to generate the code?
knaddison blog | Morris Animal Foundation
Here's an AWS app for android
Here's an AWS app for android phones, though not sure what it offers that google doesn't
http://www.amazon.com/gp/product/B0061MU68M
AWS also links to this list of possible other software solutions:
http://motp.sourceforge.net/#7
Yubikey?
Is there any scope to add support for Yubikeys? I know quite a few people who are using them in the UK community now.
http://drupal.org/project/yubikey
http://www.yubico.com
The module you link to is a
The module you link to is a different module/structure than the tfa module. I doubt the user-experience of running them both would be very good and it wouldn't be possible to require one or the other for admin accounts (that is a goal, that elevated accounts on d.o must use TFA). As far as I can tell, the Yubikey module alone doesn't solve the problem of what to do if you lose the Yubikey (i.e. having fallback to recovery codes) which would increase the support burden. It's also not a free solution whereas TFA/TOTP with recovery codes can be used in a completely free and Free way. Those are not explicitly blockers to deploying Yubikey, but they seem like concerns that would need to be reviewed/addressed before deploying Yubikey.
One way to address those issues is if there were a Yubikey plugin to tfa.module as an option alongside totp. That way there are still Free/free options alongside the Yubikey and the recovery-code feature from tfa can provide a fallback if someone loses their Yubikey device.
knaddison blog | Morris Animal Foundation
Note that if you have a
Note that if you have a Yubikey Neo and Android phone with NFC you can store the OATH credentials (for TOTP and HOTP) on the key itself, and access them using NFC, which is an improvement over using Google Authenticator or similar (in terms of reducing the potential for network/software attacks).
https://play.google.com/store/apps/details?id=com.yubico.yubioath&hl=en
desktop client discussion
Here's a stackexchange/superuser thread on different desktop clients http://superuser.com/questions/462478/is-there-a-google-authenticator-de...
If you can get the base32
If you can get the base32 secret you can trivially make a CLI tool to give you the codes using e.g. this ruby library https://github.com/mdp/rotp or similar ones in other languages.
I've used that for testing purposes with AWS - while for the real AWS accounts the code is in Google Authenticator on the phone.
The link to 'Firefox browser
The link to 'Firefox browser plugin Gauth Authenticator' is broken -- maybe the app has been removed from the Firefox marketplace?
Fixed the link,
Fixed the link, https://marketplace.firefox.com/app/gauth
Suggestion for the docs
I'm one of the people who apparently needs to set up TFA -- I received an email this morning saying I need to set it up.
So, after logging in today, I clicked on the Security tab, and then was taken to the app setup link on d.o. I think the docs on that page are unclear, and I have a couple of suggestions/thoughts.
So, here's how my thinking/process went:
a) I got this email message, which unfortunately didn't tell me "Log in and click "Security" to continue. I found that information by reading
https://www.drupal.org/node/2482771
That page really doesn't say much except "log in and click Security". So maybe that instruction could be put in the standard email message?
b) When I log in to d.o, I am always doing so from Ubuntu Firefox. So after clicking Security, and following the link to set up TFA, I looked down the list of methods for the TFA, and most of them are on smartphones. But I don't log in from my phone ever, I log in from my laptop or desktop, so I skipped these. [That was a mistake, see below]
c) So I clicked on the one non-phone option, and it took me to
https://github.com/gbraad/gauth
This is a Github project page. No immediate information on how to install it was present. It's just a wall of text with a download link but very little information about the project, what it does, whether it's safe to install, etc. I realize Drupal people probably have no influence on this page, but ... maybe some extra information about this like "Click on xxx to figure this out" or "This is a ... and it sets up a ..." on the d.o page would be useful additional information.
d) So then I clicked on a link that took me here to this groups.drupal.org page. I read through the post here and the comments, and Doh! I realize I can use an Android app to do the TFA (maybe anyway) for logging in via my usual browser.
So I'm going to try that, but meanwhile, suggestions:
In the "You need to do TFA" email, just say "Log in and click on Security".
On https://www.drupal.org/node/2482771 and on the page you get to when you click Security and go to set up your TFA, make it clear that even if you're logging in via a browser (which I think most people do on d.o right, when they're logging in to do issues etc.?), you can use a smartphone app to do the actual TFA generation.
Maybe this was obvious to everyone but me, but... maybe not, and it wouldn't take much to make it clearer.
Anyway... I'll see if the Android app works for me, but meanwhile I'm glad this post was here.
Drupal programmer - http://poplarware.com
Drupal author - http://shop.oreilly.com/product/0636920034612.do
Drupal contributor - https://www.drupal.org/u/jhodgdon
I've possibly set up Gauth
I've possibly set up Gauth incorrectly, but I don't know what I'm doing wrong.
About a week ago I added it to Chrome as an app, and entered the authentication code.
Today, d.org has asked me for a TFA code, so I opened the app in Chrome. Except my password has gone: all I see is the initial default 'alice@google.com'.
So I've had to go get my laptop, where I'm still logged into d.org, reset TFA with that to get a new authentication code.
Which I'm going to have to write down somewhere, as nothing I do with Gauth seems to work :(
Please add OATH Toolkit -
Please add OATH Toolkit - http://www.nongnu.org/oath-toolkit/ as client for desktop.
I'm using it on Ubuntu 14.04 in terminal, work perfect with command:
oathtool --totp -b <your_secret>Brilliant! Thank you so much
Brilliant! Thank you so much for posting this -- this change has been a PITA for me so far because I don't have a phone that will run any of the apps.
I can report this works perfectly on OS X with homebrew: http://brewformulas.org/OathToolkit
Welcome. Actually I can edit
Welcome.
Actually I can edit this wiki page. So I have added OATH Toolkit for Desktop solutions with your link. Thank you.
I think it will be useful to add link to OATH Toolkit on D.org setup page too.