•  
     
    story #11649 protect my account with a TOTP code
Summary
user
protect my account with a TOTP code
My account is protected with a second authentication factor.
  • The multi-factor authentication feature is provided by a plugin

 

  • Once the first authentication is successful (username/password), I need to enter a TOTP code in order to be logged
  • All logins tentative through the web interface are concerned by this:
    • username/password
    • username/password with LDAP
  • All login tentatives that can not redirect the user to a web interface are declined, concerned endpoints are:
    • REST API
      • token request
      • basic authentication
    • SOAP API
    • SVN (core or plugin)
    • Git over HTTP
    • CVS
  • Authentication relying on a token that has been explicitely requested by the user (i.e. SVN tokens) do not need to validate a second authentication factor to be authenticated
  • Users can enable the MFA from their account parameters. The MFA is enabled once:
    • They have configured their app/hardware token with the given random generated secret key
    • They have successfully answered one challenge
  • Users can disable the MFA they have enabled
  • The generated secret key is never displayed again after the initial enrollment and is stored encrypted in the DB
  • Only one secret key can be associated by user account (aka it is not possible to use multiple app/hardware tokens with different secret keys)

 

This story does not include:

  • recovery of the user account with recovery codes if the user can not use the second factor that has been registered: the user won't be able to log in anymore
  • any kind of management by site administrators or project administrators: it is not possible to disable the second factor nor to enforce the usage of MFA to be able to access the Tuleap instance or specific project

 

Empty
Empty
Status
Authentication & LDAP
Canceled
Development
  • [ ] Does it involves User Interface? 
  • [ ] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [ ] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
Goal is to be compatible with apps like "Google Authenticator", to be compatible with most of the existing apps that means supporting TOTP with 6 digits, SHA1 as algorithm and a new code each 30 seconds. A code from the previous period or the next period (P-1 and P+1) should be considered valid to not harm too much the usability, 30 seconds could be short otherwise if the server or the user are not perfectly synced.

RFC6238 TOTP: Time-Based One-Time Password Algorithm https://tools.ietf.org/html/rfc6238
Also check errata ID 2866 for the test vectors https://www.rfc-editor.org/errata_search.php?eid=2866
Details
#11649
Thomas Gerbet (tgerbet)
2023-03-24 14:45
2018-06-20 16:26
11993

References

Follow-ups

User avatar

gerrit #28143 (Drop incomplete MFA (TOTP based) plugin) integrated into Tuleap 14.6.99.195

This story is replaced by epic #31170


  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Status changed from Done to Canceled
  • Technical informations
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Category set to Authentication & LDAP
User avatar
  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Status changed from On going to Ready (stalled)
  • Technical informations
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • Category set to