New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Request] Two-factor authentication (2FA/TFA) #4932
Comments
https://pyauth.github.io/pyotp/ looks like a good option for that |
It does indeed 😃. I recommend however not to use email or SMS as mentioned in that project page, but solely or at least the TOTP method (commonly used with and known for the QR code) instead, perhaps with additional support for HOTP, as provided by the plugin. In general TOTP is considered more secure than HOTP, and it is more commonly used. If you're interested a great article about this is: https://www.descope.com/blog/post/totp-vs-hotp. Also, TOTP (and HOTP) are already compatible with many existing authenticator apps (Google Authenticator, Authy, Microsoft Authenticator, Aegis, Bitwarden et cetera) that people most likely already use for some other services. It works offline, as simply a secret is shared (by QR), so no third party or cloud connections are needed for it either. Also a method should probably be provided to reset or disable MFA if lost, using CLI for example, and/or using pregenerated 'recovery codes' that are shared at setup. A nice to have would be, in a multiuser environment of Octo, to be able to enforce 2FA on all (other) users, so they are required to enable it at first or next login. |
OctoPrint already supports multiple users. Check out the access control settings. EDIT: I think I understand your statement better now. Making it required for those additional users, not just a single person. |
I was just about to point out that you might have misunderstood that sentence 😅 @JaneX8 I use TOTP wherever I can myself instead of email or SMS (with a hardware token and associated authenticator), and neither email nor SMS would be an option anyhow since that would require external servers/services, which is a no-go. So yep, TOTP it will be. EDIT: However, this won't happen before 1.11.0, 1.10.0 is currently getting the final touches for a first RC and I'd rather not open a new construction site at this point. |
I clarified that last 'nice to have'-sentence. Sounds good, thank you for your great work @foosel! Hardware token support (browsers now support webauthn/FIDO2, https://caniuse.com/?search=webauthn) as a next feature request? 😏. Don't forget to support @foosel on Patreon or other platforms. |
I think I'll rather look into requiring exposing additional factors via some plugin interface and leave that to the community 😅 TOTP should already cover the bases for the majority of users. |
A few more thoughts about this that might be helpful for future implementation. I see those commonly weakly implemented:
|
Thanks for sharing. I will check that out later. |
Is your feature request related to a problem? Please describe.
The authentication mechanism does not support a form of multi factor authentication (MFA), two factor authentication (2FA/TFA).
Describe the solution you'd like
I would really like to setup standard TOTP (or HOTP) method for two-factor authentication. I think there are plenty of suitable libraries to help with this including in Python and Javascript.
Describe alternatives you've considered
Setting it up using PAM, similar to how I use 2FA on my SSH connections (https://github.com/google/google-authenticator-libpam). Which was already suggested here: #1936. However simply implementing TOTP is much simpler and easier than implementing PAM or OS-specific authentication.
Additional context
No response
The text was updated successfully, but these errors were encountered: