2 Factor Authentication (2FA)


#1

InvoicePlane is a web software, which means that some installations (the majority maybe?) are online, to public facing servers. This could be an issue security-wise.

It would be really nice to have a two-factor authentication option available, TOTP preferably.

What do you think? Is that too difficult to implement?
Discuss/vote


2FA against privacyIDEA
2FA against privacyIDEA
#2

Last Update: 2018-02-21


#3

Found this github with Google-2fa: https://github.com/antonioribeiro/google2fa

**Compatibility**
You don't need Laravel to use it, but it's compatible with

* Laravel 4.1+
* Laravel 5+

It also has some instructions as to how you can install it in Laravel. (which is the framework for IP if I’m not mistaken)


#4

The credentials of the user are checked in the auth method. https://github.com/InvoicePlane/InvoicePlane/blob/master/application/modules/sessions/models/mdl_sessions.php#L21

So at this point we can jump in and check the credentials e.g. against LDAP, against an internal TOTP token.
I am developing a 2FA system (https://privacyidea.org). So I want to connect invoicePlane to this.
The easy thing is, that I do not need to manage the second factor within invoicePlane. I do not have to display a QR code in invoicePlane to enroll the TOTP token.

I will simply have to create a REST Request to the privacyIDEA server, which validates the credentials.
http://privacyidea.readthedocs.io/en/latest/modules/api/validate.html#post--validate-check

Well, the perfect thing would be to make this authentication code kind of modular, so that authentication plugins can be developed without touching the session class. But this should be a design task within invoicePlane.
Kind regards
Cornelius


#5

I see there have been request in regards to authentication earlier. AD/LDAP Authentication, External Authentication, 2 Factor Authentication (2FA).

I think one would expect to have LDAP authentication. But in this case I would also expect to have some kind of role concept.

Anyways, I would like to go for the low hanging fruit and add two factor authentication against privacyIDEA. Why? Because:

  • we use it
  • it is our project
  • it is simple.

It is as simple as issuing a REST request and evaluating the JSON response.

BUT: I am not sure if invoiceplane already uses an http client module somewhere that could be used in this case? Is there a http client, which I did not see in the project? (…to avoid new dependencies)

What do you think?