Feature #11705
closedIntegrate Multifactor Authentication into Wt's Auth module
100%
Description
Wt currently allows users to log in with an identity like a username or email. It then requires a password.
This is a very classic way of authenticating. However, this is not sufficiently secure enough. There are various ways (like phishing, pharming, ...) for bad actors to get the password of a user.
Multifactor Authentication (MFA) poses an additional barrier.
Strictly speaking MFA can be a variety of this, like simply having an additional security layer by imposing a PIN, requiring a simple question to be answered, etc.
However, these approaches are similar to a password, in that they can be acquired by malicious actors in much the same way passwords can.
More secure are physical keys, but these often require specific hardware.
The best fitting approach here would be to offer a Time-based one-time password (TOTP) implementation.
The user would need to provide the MFA secret if this feature is enabled for them.
This allows user to generate a one time password, through any authentication application. This code they can fill into an additional prompt after the usual login.
Much like for the "Keep me Logged in" feature for a regular login, we can allow a policy to be set for this authentication. Allowing a configuration that doesn't require this code each time.
Updated by Matthias Van Ceulebroeck about 1 year ago
- Status changed from New to InProgress
- Assignee set to Matthias Van Ceulebroeck
- Target version changed from future to 4.11.0
Updated by Matthias Van Ceulebroeck about 1 year ago
- Status changed from InProgress to Review
- Assignee deleted (
Matthias Van Ceulebroeck)
Updated by Matthias Van Ceulebroeck about 1 year ago
- Assignee set to Korneel Dumon
Updated by Korneel Dumon 12 months ago
- Status changed from Review to InProgress
- Assignee changed from Korneel Dumon to Matthias Van Ceulebroeck
Updated by Matthias Van Ceulebroeck 12 months ago
- Status changed from InProgress to Review
- Assignee changed from Matthias Van Ceulebroeck to Korneel Dumon
Updated by Korneel Dumon 10 months ago
- Status changed from Review to InProgress
- Assignee changed from Korneel Dumon to Matthias Van Ceulebroeck
Updated by Matthias Van Ceulebroeck about 2 months ago
- Status changed from InProgress to Implemented @Emweb
- % Done changed from 0 to 100
Updated by Matthias Van Ceulebroeck about 2 months ago
- Status changed from Implemented @Emweb to Closed