Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MFA, TOTP and OTP authentication adapters #60

Open
visto9259 opened this issue Apr 5, 2024 · 5 comments
Open

Add MFA, TOTP and OTP authentication adapters #60

visto9259 opened this issue Apr 5, 2024 · 5 comments
Labels
enhancement New feature or request V4 To be implemented in version 4
Milestone
4.0.0

Comments

@visto9259
Copy link
Member

visto9259 commented Apr 5, 2024
edited
Loading

Add authentication adapters for MFA:

  • One Time Password (OTP)
  • Time based OTP (TOTP) like Google Authenticator
  • It has to be an option enabled by the user (during registration?)
  • It has to be flexible to support/customize how the OTP is sent to the user (email, SMS, etc)

Start from the PR subimitted by @lampi87 (#30

There should be clear documentation on how to extend the adapter to support customized MFA flows
@visto9259 visto9259 added enhancement New feature or request V4 To be implemented in version 4 labels Apr 5, 2024
@visto9259 visto9259 changed the title Add support for MFA and OTP Add MFA, TOTP and OTP authentication adapters Apr 5, 2024
@visto9259
Copy link
Member Author

This will require major changes in the login flow.

MFA needs multiple steps, user/credentials login form. If pass then go to next step. If fail, go back to login with error message. In the next step, validate the 2nd authentication factor. If pass, then we are done, if failed then stay in that step to validate a corrected 2nd authentication factor.
To make it generic, each step should stay in that step until authentication succeeds.

Currently, LmcUser has a one factor login flow: identity/credentials login form, pass or fail

@lampi87
Copy link
Contributor

lampi87 commented Apr 12, 2024

You may have a look at https://github.com/lampi87/LmcUserOTP
It might not be 100% bullet proof and fully generic. But for my use case it works very well and stable

Enabling OTP, define mobile number or add and verify TOTP token, must be handled by application

@visto9259
Copy link
Member Author

Thanks @lampi87

I am working on a more generic version and I am looking at your version to see how this would work. I would like the 2nd factor to be some sort of plugin and have plugins/adapters for sending messages as well.

LmcUser was designed to have a one step login. In a 2FA situation, if, for example, the code entered in the 2nd step is not valid, it should stay in that step to let the use try again.

Once I have something working, I will be looking at volunteers to try it out.

@visto9259 visto9259 added this to the 4.0.0 milestone Jun 25, 2024
@visto9259 visto9259 moved this from 🆕 New to 📋 To Do in LmcUser Development Jun 26, 2024
@visto9259
Copy link
Member Author

visto9259 commented Jun 27, 2024
edited
Loading

Additional requirements:

  • MFA should be optional and the authentication type should be on a user basis. Obviously, there should only be one authentication type per user.
  • The authentication should only be performed when all factors have been gathered (password, code, etc) according to the authentication type. As such, if the first step is to get username and password, then there should not be any validation of the password at that step but only once the second factor has been gathered, for example, via a form to enter the OTP

@visto9259 visto9259 mentioned this issue Jun 27, 2024
Open
@visto9259
Copy link
Member Author

See also #28

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request V4 To be implemented in version 4
Projects
LmcUser Development
Status: 📋 To Do
Milestone
4.0.0
Development

No branches or pull requests
2 participants
@lampi87 @visto9259