Login authentication enhancement

Hi,

I believe need to secure authentication page - mechanism
Suggest

  • Add simple captcha system
  • Add simple ban system if login fails after x times then ban IP for period y

Last Update: 2018-02-21

I don’t feel that a captcha is suitable for the main login page. A “ban” system would negate the need for such a mechanism. This would need to be tunable by the administrator. This would also create an audit trail of user logins, which is currently lacking.

It would be useful, however, for the password recovery page to implement some kind of captcha, to prevent brute-force enumeration / harvesting attacks.

Any proposal is welcome
CAPTCHA just mentioned for more securing
Ban system is good too
The whole idea is secure admin area from brute force login attempts

To avoid brute force attemps I would recommend 2FA like here 2FA against privacyIDEA

In addition you might set up some kind of rate limit in your firewall.

First step would be a ban system to prevent bruteforce attacks.

2FA is really important, maybe there is a solution that allows multiple providers like privacyIDEA, Google 2FA and so on.

Captcha would be a little bit difficult as I do not know any good solution that does not require a registration.

Yeah sure but nothing prohibits us to add config keys to ipconfig.php and it’s up to the user to set it to true and setup his own siteKey and secret Key (if we use google recaptcha)

I think it is up to you how you enhance the authentication stack of invoiceplane. Take a look at PAM where you can add your own authentication module.
Take a look at OTRS, where the authentication can be performed by a third party perl module. And this is ancient software! They actually did a good job ten years ago!
Or ownCloud. (Well, I would have wished for a more flexible design.)

Important to note: You should distinguish between authentication and authorization.
That said: invoiceplane could still manage the users (with their roles and email addresses), but the authentication (verification of login credentials) could be passed to a third party module.
(I wrote a German article about flexible authentication in web applications.)

Some of the things are already nicely done in invoiceplane and do not need much changes in this file:

Recommendations for adaption

Read users / authorization

Here https://github.com/InvoicePlane/InvoicePlane/blob/master/application/modules/sessions/controllers/Sessions.php#L32 you read the user from the database.
You could wrap this in an overloadable function/class. Thus users could also be read from LDAP or other SQL sources.

Active users

Looking at active users at this place is OK. Only a third party authorization module needs to return a user object, that has also a member active.

Authentication

Here authentication is done against the local database.

Again you could run an overloadable function.
Thus I could add a module to be called here, that communicates with privacyIDEA. Others might add a module here, that runs an bind against an LDAP server.

Example 3rd party module

class PrivacyIDEAAuth implements InvoicePlaneAuth
{
   /* 
    * called in line 47
    */
   public function authenticate($username, $password) {
        return bool;
   }

  /*
   * called in line 31
   */
  public function authorize($username) {
      return userobject;
  }
}

There is a ton of libraries which implements and fits perfectly with CodeIgniter for 2FA (I use them at work) so it’s totally possible.

The fact is that it can’t be implemented like an easy feature and will probably create a backward compatibility and it needs to be enabled for users very easy and friendly (I mean you can’t enable it if the main user don’t have his QR-code scanned first) so there is a lot to do even if it’s not really hard from a technical point of view but needs to think to all aspects and point of view to not lose any users :wink:

I’m not a fan of it (but I’m not the project leader here so just my opinion) because if the third party module has a problem/bugs or is shutdown then you’re fucked …

Anyway for 2FA a lot of dev use the version (or a modified one) of PHPGangsta

It has to be discussed and really check all which has to be dev :wink:

Regards

I am not talking of an external “cloud” authentication service, but of “my own” service on the network. And yes, you are basically right. But speaking of a network with central user managemet you are also fucked if your OpenLDAP or Active Directory has a problem. That’s the way the cookie crumbles.

I think it can be implemented as an easy feature when doing it in several steps:

  1. Step: Move the already existing code for authentication and authorization into its own module or class.

Ship it. There is no change for the user. Everything feels and acts the same. The code is just at another location.

  1. Step: Implement to allow the admin to choose another authentication class and authorization class. aka. a 3rd party. This can be done in ipconfig.php. This will not affect the normal user, if the admin did not configure another authentication class.

Ship it. It still feels the same for all other users, who are using local usernames and passwords.

But I will be able to write a 3rd party module, that communicates with a 2FA system :slight_smile:

  1. Step: Now you might start to think about your own internal 2FA thingy which will also be an extra authentication class. Optionally.

But: Please Please Please

Do not simply create your own 2FA management as the only 2FA possiblity!
I am into 2FA now for 14 years and this often seemed like an easy and quick solution, but after a while it is… …nasty
…it sucks:

  1. Users will end up with a long list of profiles in their Google Authenticator. One for invoiceplane, one for owncloud, one for SSH login, one for the next portal, one for your VPN, one for…
  2. In a company an administrator wants to define some central rules - also for 2FA. This is not possible, if every application ships its own 2FA! You want to have a central service.
  3. What is 2FA anyways? It is not your smarpthone and it is not the Google Authenticator! Let the user, the administrator or the IT department or the boss choose, if to use SMS, Email, Google Authenticator, U2F, hardware tokens… Good luck with implementing this! :wink:
  4. The Google Authenticator sucks anyways. :wink: Read this. (Well at least it is better than nothing)
  5. Personally: In our company every user has one centrally managed Yubikey. And the user uses this Yubikey to access everything: LUKS, local login, ownCloud, our own django apps, web site management - and I would like to add invoiceplane to that list… :smiley:

I am happy to act as a nagging partner for discussion! :wink:

Thanks for the time!

1 Like

I am sorry. Did I highjack this thread?

I think the best way is to collect opinions and ideas from everyone and once we got a little list why not have a talk on the Slack directly with everyone involved ?

You’re still free to use
https://authy.com/
:smiley:

It’s a great feature of course but keep in mind that it’s supposed to be user friendly and easy for everyone. I mean the goal of InvoicePlane is not to be the most secure project (I don’t say that security is not important) but one solution (or maybe two) is a good compromise. It’s also up to each company to secure their webhost :wink:

1 Like

I never used authy since I do not want them to know my phone number. The enrollment process of Google Authenticator (which I think is also used by authy!!!) sucks. So thus authy does, too :wink:
I like to use the new privacyIDEA Authenticator :wink:

A talk on slack or jitsi or whereever might be great.

Securing a webhost does not work out, since UserA could authenticate at the webhost and impersonate as UserB at the application.