[Feature Request]: TOTP Auth

[Chaostheorie]

It would be nice to be able to additionally use TOPT for authentication as teacher or pupil to secure against passwords leaks from other platforms. It would improve account security a lot. While the current password policies are reasonable it doesn't protect against reused passwords. Especially with the amount of personal information handled by teachers TOTP with e.g. Twilio Authy, Aegis Authenticator or HENNGE OTP Generato‪r should help prevent human error.

I'm not too sure if this should be posted here or in the nuxt-client repository.

Useful libraries for (T)OTP with support for e.g. google authenticator or compatible alternatives: otpauth and 2fa-utils

[Chaostheorie]

Related to: #1745

[janrenz]

Hi @Chaostheorie, I fully support this idea from the tech and the security side. We already tested some tings here. But: From a strategic side we suggested form the beginning of the project that the Schul/Cloud is used in conjunction with IDM systems provided by the federal states. And form the architectural part TOTP then belongs into the IDM layer. Still if someone would do a PR we will be happy to review and integrate.

[piwo1984]

@janrenz I totally agree with you: this belongs to the IDM layer and shouldn't be mixed in the business layer.
You can think about a solution based on keycloak.

[Chaostheorie]

@piwo1984 I'm sorry, if I'm asking a silly question, but where is your IDM-layer code located?
I'm new to the codebase and would love to help with this.

[piwo1984]

@Chaostheorie there isn't any code base. This is just an idea about a possible deployment architecture. As @janrenz mentioned this is out of scope of the Schul/Cloud project. But one can think about providing a lean deployment stack (docker-compose based) for others to get an instance of the SchulCloud up and running quickly.

[janrenz]

Hi, the things we doing in a role as a IDM are in the Server Code. For states where we run with an external IDM, these IDMs are not part of this repo. Some use Univention products, some custom build stuff, some iserv.
For a local Docker based instance check: https://github.com/hpi-schul-cloud/docker-compose
For running at K8s you can check out the WIP branches like https://github.com/hpi-schul-cloud/schulcloud-server/tree/kubectls-experiments where we try to move the K8s specific stuff from an internal repo into the service repos.

[Chaostheorie]

@piwo1984 Are you sure this couldn't be integrated? AFAIK TOPT can be integrated without changing the environment too much.
Changes that would be required is an additional field for the Key in the identity manger (LDAP) and an additional field or dialog for the key in the login form. The input from this field can be checked by the server with the current time and the key.

@janrenz thank your pointing me to the repos. I will take a look at it later :)

[piwo1984]

@Chaostheorie I'm not aware of this "feature" of schulcloud-server. I will have to inspect this first. But I'm in doubt that integration TOPT will be this simple. In case you add such a functionality you have to make sure to don't break anything else.