[Request] Two-factor authentication (2FA/TFA)

[JaneX8]

Is your feature request related to a problem? Please describe.

The authentication mechanism does not support a form of multi factor authentication (MFA), two factor authentication (2FA/TFA).

Describe the solution you'd like

I would really like to setup standard TOTP (or HOTP) method for two-factor authentication. I think there are plenty of suitable libraries to help with this including in Python and Javascript.

Describe alternatives you've considered

Setting it up using PAM, similar to how I use 2FA on my SSH connections (https://github.com/google/google-authenticator-libpam). Which was already suggested here: #1936. However simply implementing TOTP is much simpler and easier than implementing PAM or OS-specific authentication.

Additional context

No response

[foosel]

https://pyauth.github.io/pyotp/ looks like a good option for that

[JaneX8]

It does indeed 😃. I recommend however not to use email or SMS as mentioned in that project page, but solely or at least the TOTP method (commonly used with and known for the QR code) instead, perhaps with additional support for HOTP, as provided by the plugin.

In general TOTP is considered more secure than HOTP, and it is more commonly used. If you're interested a great article about this is: https://www.descope.com/blog/post/totp-vs-hotp.

Also, TOTP (and HOTP) are already compatible with many existing authenticator apps (Google Authenticator, Authy, Microsoft Authenticator, Aegis, Bitwarden et cetera) that people most likely already use for some other services. It works offline, as simply a secret is shared (by QR), so no third party or cloud connections are needed for it either.

Also a method should probably be provided to reset or disable MFA if lost, using CLI for example, and/or using pregenerated 'recovery codes' that are shared at setup.

A nice to have would be, in a multiuser environment of Octo, to be able to enforce 2FA on all (other) users, so they are required to enable it at first or next login.

[jneilliii]

A nice to have would be in a multiuser environment of Octo to be able to enforce it for all users, so they are required to enable it at first or next login.

OctoPrint already supports multiple users. Check out the access control settings.

EDIT: I think I understand your statement better now. Making it required for those additional users, not just a single person.

[foosel]

I was just about to point out that you might have misunderstood that sentence 😅

@JaneX8 I use TOTP wherever I can myself instead of email or SMS (with a hardware token and associated authenticator), and neither email nor SMS would be an option anyhow since that would require external servers/services, which is a no-go. So yep, TOTP it will be.

EDIT: However, this won't happen before 1.11.0, 1.10.0 is currently getting the final touches for a first RC and I'd rather not open a new construction site at this point.

[JaneX8]

I clarified that last 'nice to have'-sentence. Sounds good, thank you for your great work @foosel! Hardware token support (browsers now support webauthn/FIDO2, https://caniuse.com/?search=webauthn) as a next feature request? 😏.

Don't forget to support @foosel on Patreon or other platforms.

[foosel]

Hardware token support (browsers now support FIDO2) as a next feature request? 😏.

I think I'll rather look into requiring exposing additional factors via some plugin interface and leave that to the community 😅 TOTP should already cover the bases for the majority of users.

[jneilliii]

https://github.com/JoveToo/OctoPrint-MFA

[JaneX8]

A few more thoughts about this that might be helpful for future implementation. I see those commonly weakly implemented:

• to avoid the risk of shoulder surfing, the input field for the OTP should be considered type=password and not type=text (hence invisible when being typed)
• (optionally) the OTP can be auto submitted after the last digit it typed, this reduced the time between the last user input and the actual submit, which decreases the timeframe for misusing the OTP, for example when captured using a keylogger
• the OTP should be invalidated after being used once. It's called a one-time-password for a reason. Often I see a simple validation of the OTP, which can be (re)used 100x as long as it is used within the right timeframe. This can for example be prevented through a simple serverside temporary caching mechanism. It prevents the risks of replay attacks where the code is reused directly after for example it being captured using a MitM attack.
• after an invalid OTP has been entered, one should be redirected to the first login step (username and password), this reduced the risk of brute-forcing the OTP code, note that a simple form of rate limiting should perhaps exist anyway on the regular login.
• a common practice is to allow the previous X and next X OTP's to be valid as well, to avoid time synchronization issues between the server and client. The secure practice is to keep both in sync and only allow the current code. But since that's likely inviable for this project, the amount of previous and next OTP's that are allowed should at least be somewhat limited or configurable. Projects like OctoPi could additionally for example make sure that time is synchronized serverside (for example ntp/chrony).

[JaneX8]

https://github.com/JoveToo/OctoPrint-MFA

Thanks for sharing. I will check that out later.