epic #11648 Multi-Factor Authentication

story #11649 protect my account with a TOTP code

Artifact

Summary

As a

user

I want to *

protect my account with a TOTP code

So that

My account is protected with a second authentication factor.

Acceptance criteria

The multi-factor authentication feature is provided by a plugin

Once the first authentication is successful (username/password), I need to enter a TOTP code in order to be logged
All logins tentative through the web interface are concerned by this:
- username/password
- username/password with LDAP
All login tentatives that can not redirect the user to a web interface are declined, concerned endpoints are:
- REST API
  - token request
  - basic authentication
- SOAP API
- SVN (core or plugin)
- Git over HTTP
- CVS
Authentication relying on a token that has been explicitely requested by the user (i.e. SVN tokens) do not need to validate a second authentication factor to be authenticated
Users can enable the MFA from their account parameters. The MFA is enabled once:
- They have configured their app/hardware token with the given random generated secret key
- They have successfully answered one challenge
Users can disable the MFA they have enabled
The generated secret key is never displayed again after the initial enrollment and is stored encrypted in the DB
Only one secret key can be associated by user account (aka it is not possible to use multiple app/hardware tokens with different secret keys)

This story does not include:

recovery of the user account with recovery codes if the user can not use the second factor that has been registered: the user won't be able to log in anymore
any kind of management by site administrators or project administrators: it is not possible to disable the second factor nor to enforce the usage of MFA to be able to access the Tuleap instance or specific project

AttachmentsEmpty

CC listEmpty

Status

CategoryAuthentication & LDAP

StatusCanceled

Development

Checklist

[ ] Does it involves User Interface?
[ ] Are there any mockups?
[ ] Are permissions checked?
[ ] Does it need Javascript development?
[ ] Does it need a forge upgrade bucket?
[ ] Does it need to execute things in system events?
[ ] Does it impact project creation (templates)?
[ ] Is it exploratory?

Technical informations

Goal is to be compatible with apps like "Google Authenticator", to be compatible with most of the existing apps that means supporting TOTP with 6 digits, SHA1 as algorithm and a new code each 30 seconds. A code from the previous period or the next period (P-1 and P+1) should be considered valid to not harm too much the usability, 30 seconds could be short otherwise if the server or the user are not perfectly synced.

RFC6238 TOTP: Time-Based One-Time Password Algorithm https://tools.ietf.org/html/rfc6238
Also check errata ID 2866 for the test vectors https://www.rfc-editor.org/errata_search.php?eid=2866

Details

Artifact ID#11649

Submitted ByThomas Gerbet (tgerbet)

Last Modified On2023-03-24 14:45

Submitted On2018-06-20 16:26

Rank11993

Permissions

Restrict access to this artifact for the following user groups:

References

Is related to

Artifact links

Empty

Reverse artifact links

Epics

Parent

Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
epic #11648	Tuleap	Epics	Multi-Factor Authentication	Canceled	2023-06-13 14:56	Thomas Gerbet (tgerbet)

Cross References

Referencing story #11649

Artifact Tracker v5

epic #11648 Multi-Factor Authentication

request #11622 Possibility to configure display name on email notifications from tracker on a per-tracker basis

Git commit

tuleap/tuleap/stable

Initialize the multi-factor authentication plugin c93a541b09

Thomas Gerbet (tgerbet) , 2018-06-21 12:22

TOTP codes can be validated 9a34d476c5

Thomas Gerbet (tgerbet) , 2018-06-22 17:53

Extract the password verification from the LoginManager class 9eda2ec223

Thomas Gerbet (tgerbet) , 2018-06-23 13:44

Enrollment of a multi-factor authentication device based on TOTP can be saved 8f7c15aa9e

Thomas Gerbet (tgerbet) , 2018-08-23 16:30

Enrollment of a multi-factor authentication device based on TOTP can be tested 7dbdfe5fe3

Thomas Gerbet (tgerbet) , 2018-09-10 09:04

Drop incomplete MFA (TOTP based) plugin aa7e84cd65

Thomas Gerbet (tgerbet) , 2023-03-24 10:56

Show items referenced by story #11649

Referenced by story #11649

Artifact Tracker v5

epic #31170 Passkeys / WebAuthn

Git commit

tuleap/tuleap/stable

Drop incomplete MFA (TOTP based) plugin aa7e84cd65

Thomas Gerbet (tgerbet) , 2023-03-24 10:56

Other

Follow-ups

Nicolas Terray (nterray)

2023-03-24 14:45

gerrit #28143 (Drop incomplete MFA (TOTP based) plugin) integrated into Tuleap 14.6.99.195

This story is replaced by epic #31170

Acceptance criteria

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes
Status changed from Done to Canceled
Technical informations

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes
Category set to Authentication & LDAP

Tracker Workflow Manager (forge__tracker_workflow_manager)

2023-03-24 14:41

Closed by @tgerbet with git #tuleap/stable/aa7e84cd656d8720cdae83d810cde783170ded28.

Status changed from Ready (stalled) to Done

Manuel Vacelet (vaceletm)

2022-05-09 16:07

Acceptance criteria

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes
Status changed from On going to Ready (stalled)
Technical informations

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes
Category set to