Project

General

Profile

Actions

Feature #11705

closed

Integrate Multifactor Authentication into Wt's Auth module

Added by Matthias Van Ceulebroeck over 1 year ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Target version:
Start date:
06/07/2023
Due date:
% Done:

100%

Estimated time:

Description

Wt currently allows users to log in with an identity like a username or email. It then requires a password.

This is a very classic way of authenticating. However, this is not sufficiently secure enough. There are various ways (like phishing, pharming, ...) for bad actors to get the password of a user.
Multifactor Authentication (MFA) poses an additional barrier.

Strictly speaking MFA can be a variety of this, like simply having an additional security layer by imposing a PIN, requiring a simple question to be answered, etc.
However, these approaches are similar to a password, in that they can be acquired by malicious actors in much the same way passwords can.

More secure are physical keys, but these often require specific hardware.

The best fitting approach here would be to offer a Time-based one-time password (TOTP) implementation.
The user would need to provide the MFA secret if this feature is enabled for them.

This allows user to generate a one time password, through any authentication application. This code they can fill into an additional prompt after the usual login.

Much like for the "Keep me Logged in" feature for a regular login, we can allow a policy to be set for this authentication. Allowing a configuration that doesn't require this code each time.

Actions #1

Updated by Matthias Van Ceulebroeck about 1 year ago

  • Status changed from New to InProgress
  • Assignee set to Matthias Van Ceulebroeck
  • Target version changed from future to 4.11.0
Actions #2

Updated by Matthias Van Ceulebroeck about 1 year ago

  • Status changed from InProgress to Review
  • Assignee deleted (Matthias Van Ceulebroeck)
Actions #3

Updated by Matthias Van Ceulebroeck about 1 year ago

  • Assignee set to Korneel Dumon
Actions #4

Updated by Korneel Dumon about 1 year ago

  • Status changed from Review to InProgress
  • Assignee changed from Korneel Dumon to Matthias Van Ceulebroeck
Actions #5

Updated by Matthias Van Ceulebroeck about 1 year ago

  • Status changed from InProgress to Review
  • Assignee changed from Matthias Van Ceulebroeck to Korneel Dumon
Actions #6

Updated by Korneel Dumon 11 months ago

  • Status changed from Review to InProgress
  • Assignee changed from Korneel Dumon to Matthias Van Ceulebroeck
Actions #7

Updated by Matthias Van Ceulebroeck 3 months ago

  • Status changed from InProgress to Implemented @Emweb
  • % Done changed from 0 to 100
Actions #8

Updated by Matthias Van Ceulebroeck 3 months ago

  • Status changed from Implemented @Emweb to Closed
Actions

Also available in: Atom PDF