Two factor authentication is a good idea. There are several ways to do it, but tfa 7.x-2.x and tfa_basic 7.x-1.x are probably the best option. They support the industry standard TOTP protocol with Recovery Codes as a backup method (and SMS if we want to support that, though it would require some API capable of sending sms which costs a small amount of money).
Testing TFA on Drupal.org
Steps to enable TFA and test on a devdrupal site.
- Go to https://tfa-drupal.redesign.devdrupal.org and for htauth use drupal:drupal
- Because passwords are sanitized on stage sites you'll need a one-time login link to get in (ping greggles or coltrane in #drupal or #drupal-contribute to get one)
- Set a password for your account (different than main drupal.org one)
- Click the "Security" tab on your account profile
- Choose to setup two-factor authentication
- Enter your password
- Choose application setup
- Install one of the recommended TFA applications (Google Authenticator, FreeOTP, etc) and scan the QR code or enter the code into your mobile application
- Once entered your application will generate a 6-digit numeric code that you'll enter back into the TFA form
See comment #13 for further steps and screenshots.
Two factor authentication deployment plan
In settings.local.php set the following conf variables$conf['tfa_basic_secret_key']
to the results ofopenssl rand -base64 32
$conf['tfa_basic_cookie_domain'] = '.drupal.org';
Update drupalorg_crosssiteAdd tfa and tfa_basic modules to the siteMerge & deploy drupalorg's2239973-tfa
branch- Enable the modules and on admin/config/people/tfa choose to enable TFA
- Set TOTP as the default validation plugin, also enable recovery codes and help plugin
- Enable login plugin and set the default help text to
Email help@drupal.org to reset your access.
- Inform administrators they should set up TFA for their account
Later,
- Send emails periodically to people with admin roles that have not set up TFA and encourage them to do so
- After 60 days, if someone hasn't enabled TFA their admin roles should be revoked (they can be regranted once the person has enabled TFA)
- Fix any bugs or documentation/usability issues encountered in the initial roll-out period
- Allow anyone with "community" role to set up TFA
Tools for Generating TOTP codes
There are multiple free and Free options for creating TOTP codes on a smartphone or laptop. Wiki and discussion about apps on groups.drupal.org at https://groups.drupal.org/node/438328
Comment | File | Size | Author |
---|---|---|---|
#41 | tfa-successful-prompt-for-authentication-code.png | 132.01 KB | vegantriathlete |
#40 | tfa-successful-setup.png | 118.06 KB | vegantriathlete |
#39 | testing-tfa.png | 131.08 KB | vegantriathlete |
#27 | tfa-basic-overview.png | 96.78 KB | coltrane |
#13 | tfa-drupalorg-config.jpg | 240.94 KB | coltrane |
Comments
Comment #1
gregglesComment #2
gregglesComment #3
basic CreditAttribution: basic commentedI assume you want TFA 2.x with the tfa_basic plugins? Looking over the features this seems like a good approach.
Comment #4
coltranetfa_basic provides two plugins for the TFA module, TOTP and "remember by browser". I have a recovery codes in a local plugin that I'll get on drupal.org soon.
Comment #5
gregglesComment #6
gdemetI'm +1 for this feature. Would we be able to use Google Authenticator with the implementation being discussed?
Comment #7
jyee CreditAttribution: jyee commented+1 would love to see this implemented.
Comment #8
vegantriathleteI am using Google Authenticator on a couple of different services and am really happy with it. I'd love to see the ability to have TFA via Google Authenticator on d.o. and am thrilled to see that @greggles and @coltrane have started to take some steps to create the contrib modules to handle this!
Comment #9
gregglesComment #10
gregglesThanks for your support. I updated the issue summary to mention that yes, Google Authenticator will work.
I also removed individual issues and instead linked to meta issues that list the things to fix before a release.
Comment #11
gregglesIssue nid typos.
Comment #12
vegantriathleteCan you clarify the last sentence in the first paragraph?
Specifically, I don't understand the part that says "There are multiple free and Free options". I guess I'm not understanding the difference between "free" and "Free". Are you making the distinction between "free as in beer" and "Free as in speech"?
Comment #13
coltranehttps://tfa-drupal.redesign.devdrupal.org/ is available for testing TFA 2.x-dev and TFA Basic 1.x-dev. It's been setup also with the recovery codes patch #2241621: Add "recovery codes" feature. The attached screenshots show how to enable TFA authenticator application for an account.
Steps to enable
1. Go to tfa-drupal.redesign.devdrupal.org and for htauth use drupal:drupal
2. Log in in with your d.o account credentials
3. Click the "TFA" tab on your account profile
4. Choose to setup two-factor authentication
5. Enter your password
6. Choose application setup
7. Install one of the recommended TFA applications (Google Authenticator, FreeOTP, etc) and scan the QR code or enter the code into your mobile application
8. Once entered your application will generate a 6-digit numeric code that you'll enter back into the TFA form
You should also save recovery codes. You can mark the current browser as trusted but note that you won't be subjected to TFA during log in of course, unless you use a different browser.
Comment #14
coltraneComment #15
coltraneComment #16
coltraneI'm working on this again with the plan to complete #2243871: [meta] Tracking next release (and ideally #2241821: Plan for TFA 7.x-2.2 release) in the next couple weeks.
https://tfa-drupal.redesign.devdrupal.org/ has been updated with latest work on TFA. The directions in the summary and #13 are correct.
I have feedback from webchick that will make it into TFA and TFA Basic issues but would really appreciate further review from folks who have expressed support thus far. @jyee @gdemet @vegantriathlete :)
Comment #17
skyredwangI am trying to test https://tfa-drupal.redesign.devdrupal.org/ , but it asks for HTTP server authendication. Can anyone point me to certain testing policy or the requirements to get such access?
Comment #18
Dave Reid@skyredwang: drupal/drupal for username/password.
I'm unable to login with my normal account credentials on the dev site. Do I need to do a password reset?
Comment #19
drummDev site DBs are nearly public, so we sanitize out both emails and password hashes. https://www.drupal.org/node/1018084 has some info on logging in. Basically, use
drush uli
.Comment #20
gregglesIf someone wants to help test ping me in irc and I'll get you a drush uli for your account.
TFA works with a one-time-login link or you can set your password and then use it normally.
Comment #21
coltraneOy, I didn't realize/forgot passwords are sanitized on stage sites. I've updated the summary to say to ping greggles or myself for one-time login links.
Comment #22
dsnopek@mlhess hooked me up with a login URL and I tested this a little bit. I'm going to have to wait until I get home to test with an actual smartphone - but I have some questions.
What is the plan for TFA for people without smartphones?
Personally, I have a box of smartphones I use for mobile testing, but I don't actually have a smartphone that I carry with me everywhere with telephone and internet service. :-) Is setting a "trusted browser" the plan to handle this?
I setup TFA on that demo site and set a trusted browser, however, when I login using a different browser, it goes through with just the password. Shouldn't it stop me, saying this browser isn't trusted (and maybe allow me to get in using one of the recovery codes)? My account page says that TFA is enabled:
... so I would have expected it to require more than just the password, even though I don't have a real TFA application setup. Or am I misunderstanding how this is supposed to work?
Comment #23
gregglesI added some links in the issue summary to browser-based ways to generate totp codes.
People can also just use the recovery codes and trusted browsers to get by. They'd need to enter a recovery code every month which isn't terrible. Periodically they'd need to add some more recovery codes.
Comment #24
coltraneThanks for testing @dsnopek!
"I setup TFA on that demo site and set a trusted browser, however, when I login using a different browser, it goes through with just the password."
I haven't been able to replicate this. When I setup TFA and set my current browser as trusted then try to log in from a completely different browser I'm presented with the TFA form after entering my name/password. Can you detail your steps please? I'm also available on IRC and/or Google Hangout for walking through your process. Thanks!
"What is the plan for TFA for people without smartphones?"
This definitely assumes people have a smartphone. There are some desktop solutions for TOTP, would you be willing to try them out?
The "trusted device" is not currently an option for 2nd factor sign-in. It's only a means to avoid TFA on *every* sign-in.
Comment #25
dsnopekI think the difference is that I enabled TFA, but with out doing the "Setup application" stuff because I'm smartphone-less, only setting a trusted browser. When I have a chance, I'll try setting up one of the desktop solutions you referred to and then see if that causes it to ask for further authentication.
Anyway, if my guess is right, then it probably means the TFA code should be changed to kick in with just a trusted browser, even without an application setup, to make things easier for the smartphone-less. :-)
Comment #26
dsnopekOk, I tried the Firefox addon here:
https://marketplace.firefox.com/app/gauth-authenticator/
And it works great! Now that I understand how this works (hey, it's time based!) having never tried the TFA module before, this seems like a totally fine way to work for those without a smartphone. :-)
Comment #27
coltranehttps://tfa-drupal.redesign.devdrupal.org/ has been updated with improvements to the set up process and account overview page. You can see a screenshot of the overview page in the attachment.
Comment #28
gregglesIt's worth noting that the multi-step flow you created and help text on that page was created to address the problems that testers encountered so far. Hopefully there will be more success.
One area that is still a barrier for adoption seems to be choosing the right software to generate the one-time code. I moved some of the information from the original post and from comments into a wiki post on g.d.o: Recommended TOTP clients for TFA deployment on drupal.org. My hope is that we can come up with a list of at least a few solutions, ideally in order based on usability/security, that work on 95% of all platforms. It's clear we need solutions for people without smartphones or with models so old they don't run those programs.
Comment #29
drummCan the menu item be named something non-acronym? TFA isn't something I'd expect people to know offhand.
Comment #30
coltraneThanks for the feedback drumm! Yes, you can follow progress on the tab name at #2320705: Name of TFA tab?. I'll reference your comment there.
Comment #31
coltraneComment #32
coltraneTagging Software Working Group for review based on https://www.drupal.org/governance/drupalorg-working-groups/software
edit, also the name of the tab has changed from "TFA" to "Security"
Comment #33
skyredwangAfter set up, I made a few tests:
1. login with a mobile authenticator -> works
2. login with a recovery code -> works
3. login with a used recovery code, got rejected -> works
But, "View unused recovery codes" feature is a big security risk, which allows people to steal others' codes/access easily. (For example, use someone's computer when this persion is away). The easy solution is, like Google, Github, Linode, etc, once the recovery codes are generated, they are no longer viewable (Not sure if we need to encrypt the recovery codes).
Comment #34
skyredwangI made another test. I can get in without proper access. I will report this secuirty problem via proper channel.
Comment #35
coltraneIf the "View unused recovery codes" was behind a password prompt would that mitigate showing them?
Comment #36
gregglesI don't see "view unused recovery codes" as any bigger risk than viewing more recovery codes.
I do agree that either version of it should be behind an extra password prompt for some extra security against the scenario @skyredwang describes.
Comment #37
gregglesComment #38
coltranehttps://tfa-drupal.redesign.devdrupal.org/ has been updated with latest work in TFA Basic (patches #2325409: Improve UX of set up and #2324159: Provide optional SMS plugin using Twilio*) which improve the UX of setup and implementing password control on viewing recovery codes.
* Note, while the SMS plugin is available it's not enabled.
Comment #39
vegantriathleteI didn't have a TFA tab. I need to click Security.
Comment #40
vegantriathleteHere is the successful setup.
Comment #41
vegantriathleteHere is the successful prompt for the authentication code.
With the exception of needing to click "Security" instead of "TFA", the process worked beautifully for me!
I have not tested marking a browser as trusted. Nor have I tested using one of the recovery codes. Would you like me to test either / both of those?
Comment #42
vegantriathleteFWIW: I am happy having the intermediate password prompt when clicking Reset application, Set trusted browsers, View unused recovery codes, Get new recovery codes and Disable TFA.
Comment #43
vegantriathleteComment #44
nnewton CreditAttribution: nnewton commentedHi All,
Where does this stand at the moment and is there anything the infra team can do to help its progress?
I am not sure if having more people would help or hurt at the moment and wanted to check.
Thanks.
-N
Comment #45
gregglesThanks, nnewton.
The issue summary links to two issues in the TFA/TFA_Basic queue for managing their stable release. Each of those issues links to lists of issues to fix. I would say those are things to fix in an ideal case, but even with them the modules do provide a strong improvement in security (i.e. still requires at least several hundred thousand brute force requests even if username and password are compromised). Some of those even have patches that need review.
I'm not sure if Ben agrees, but I think we could consider deploying this in its current state.
Comment #46
coltraneIf drupal.org deployed now and #2339449: Use better encryption and random source made it in then upgrading would break TFA for any user (because stored data would decrypt differently). If that's an acceptable annoyance (or if someone can assist with an update path) drupal.org could deploy now, otherwise it seems best to wait for a beta2. I unfortunately don't have a estimated delivery time for that.
Comment #47
coltraneComment #48
tim.plunkettFixing tags.
Comment #49
Leeteq CreditAttribution: Leeteq commentedI think Drupal.org should also have support for the "U2F" ("Universal-Two-Factor") authentication standard that earlier this year was established by the FIDO alliance.
Ref. the FIDO alliance supporting members list:
https://fidoalliance.org/membership/members
(extracted a few well-known names...)
Demo video:
https://fidoalliance.org/adoption/video/yubico-fido-u2f-simple-secure-login
When many people now can use the same 2FA security token to secure their accounts with both Google, Paypal, Alipay, etc., as well as also easily for their individual Drupal sites using a Drupal contrib module, then I would think it be wise to avoid forcing people to choose between two different standards.
Therefore, I think it would be good if drupal.org not only support (require) TOTP, but also the U2F standard, which seems to be THE way forward. It seems that it is just a matter of a feature decision for the TFA module to also support U2F.
Notice also a significant flexibility detail between the two standards, where the latter does not require time stamp, meaning that the U2F standard supports security tokens that not need a battery. This is quite important. Then each of the security token devices can last much longer. One of the available U2F devices comes with 10 year warranty already.
Google just opened their U2F Security Key support for Gmail and Google Accounts earlier this week:
http://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-ve...
Gmail U2F demo video:
http://vimeo.com/109365425
Comment #50
greggles@Leeteq - this issue is about deploying tfa on drupal.org in the near term. There is much more than a matter of making a feature decision to support U2F: there is actual writing of code, reviewing for usability and security, and testing. Significant effort has been put into getting the TFA module through many of those steps although some work remains before it could be deployed. Adding an additional step at this point would delay an improvement. Let's please leave the discussion of U2F out of this issue until there is at least working code for it.
Comment #51
tvn CreditAttribution: tvn commentedI finally got around to test this on the dev site. Great work! I used the Firefox Gauth Authenticator, it worked fine.
Now some questions and comments:
1. How will this affect password reset process, specifically one time login links?
2. What options are there if a person for some reason doesn't have the verification device and recovery codes anymore? What's the way to get in their account?
Some UI related stuff:
3. Once you start TFA setup, page title changes to TFA setup, Profile menu is gone, however Profile / Posts / Commits menu is still there, which looks kinda confusing.
4. The list of available applications inside of TFA setup only lists mobile ones, no desktop ones:
Google Authenticator (Android/iPhone/BlackBerry)
Authy (Android/iPhone)
Authenticator (Windows Phone)
FreeOTP (Android)
5. Can the links above have target="_blank"? Currently if you click on one of them, and then go back in your browser, you get page expired message.
6. When entering recovery codes, can we add a hint about their format to the text? Due to spaces in those codes it can be a little bit confusing.
So e.g.:
Enter one of your recovery codes (XXX XX XXX)
7. Most of the TFA related pages could use some margins between different paragraphs of text, form elements, buttons.
e.g.
8. It would be good to add some styling to the TFA setup page. Make headers bold, action links - buttons, ul list to have bullet points, and some spacing between different elements.
E.g.: https://www.drupal.org/files/issues/tvn___tfa_drupal_dev.jpg
9. Lastly, and this is totally minor. In this text:
"With TFA enabled, you sign on to the site with a uniquely generated code in addition to your username and password."
as a non-native speaker, for me personally "sign on to the site" is somewhat confusing. "Log in to the site" is much more understandable, or at least "sign in to".
Thanks again for all the work on this!
The dev site is pretty old and a lot of stuff got deployed on Drupal.org in the mean time. I think first step to prepare this for deployment would be to rebuild the dev site and configure TFA on up-to-date copy of Drupal.org.
Comment #52
Wim Leers#51: great review — looking forward to being able to use this :)
Comment #53
coltrane(comment edited, responding to your questions)
@tvn, thanks so much for your review! Hugely helpful to have your feedback. Marking this back to needs work.
1. One time login links get a user past the first step of authentication but they are still required to go through the TFA code entry process to sign in
2. The best way is to contact an administrator to reset their access. #2326253: Provide help page plugin is a proposal to assist with that.
Many of your suggestions will likely be handled within the TFA Basic project. I've made note of your comment in #2243871: [meta] Tracking next release and will create issues after going through in more depth.
I suspect some the theme-related points may require work within the drupal.org theme. I can probably do that would be quicker to have assistance from someone more familiar with the theme and css.
And besides these new issues, TFA and TFA Basic are almost ready for a new tag. I have some local code for #2327441: Improve context management and dependency handling with plugin injection that I hope to have submitted for review in the next couple weeks.
I'll also rebuild the dev site soon if no one else gets to it first.
Comment #54
coltraneI rebuilt http://tfa-drupal.redesign.devdrupal.org/ after getting devwww access again (thanks to drumm and basic` for their assistance).
http://tfa-drupal.redesign.devdrupal.org/ is running latest tfa and tfa_basic dev releases and applied patches:
To-do's from #53 still stand tho the meta issues of TFA and TFA Basic have some progress.
Comment #55
teachermac CreditAttribution: teachermac commentedWhen will there be a module for Drupal 8?
Thanks
Comment #56
Leeteq CreditAttribution: Leeteq commented@teachermac; this issue is for the implementation at drupal.org, which is using D7 fore the foreseable future.
Follow this issue in the TFA queue instead for your D8 question:
#2307785: Port TFA to Drupal 8
Comment #57
tvn CreditAttribution: tvn commentedUntagging, DSWG reviewed this during our monthly call this week. We do think this is a great idea. Since it is already recognized at the official D.o roadmap (https://www.drupal.org/roadmap) under Community initiatives, no further actions from DSWG are required. We'd recommend 'd.o two factor auth' tag is added to all related issues to make it easier to see the scope of the initiative.
Comment #58
coltraneThanks tvn! I appreciate the sign-off.
The theme-related suggestions from #51 are something that may require another set of hands to help with or at least more research from me on how to implement. If anyone subscribed to this issue is interested in assisting with it and wants to triage any drupal.org theme changes and work on them please, by all means, do!
Comment #59
drummComment #60
drummMoving to drupalorg since there will be permissions changes. (Those are in a Feature now.)
Comment #61
gregglesI think there are still 1-2 things to fix in tfa and tfa_basic prior to deploying on d.o. If you can help on those it seems great!
Comment #62
coltraneUpdating issue summary
Comment #64
drummhttp://cgit.drupalcode.org/drupalorg_crosssite/commit/?id=10a2f730cec96f... hides the Drupal.org section navigation on these pages.
Comment #66
drummWith #2480577: Improve UI for main Security tab, and the last commit here, the main UI looks like this:
Comment #67
drummThis is looking good to me, and is scheduled for deployment on Tuesday.
The initial deployment will let users with these roles use TFA: Full HTML user, Git administrator, administrator, security team, testing administrator, user administrator.
Comment #68
coltraneExcellent!
Before next TFA tag I would like to get #2329867: Prevent the re-use of TOTP codes committed. Any review of that is appreciated.
Since this is only deploying for a limited set of people I'll make the next tag a beta2.
Additionally I'll expand documentation on drupal.org as part of #2273603: Document require TFA and UX challenge
Comment #69
MixologicFound an interesting issue. I tried to drush uli on the tfa-redesign site, but am getting the following message:
https://www.dropbox.com/s/5q0thbrjzfaosws/Screenshot%202015-05-02%2008.3...
Comment #70
coltranePending any further review and issues, I'm planning to tag beta2 for TFA and TFA Basic modules tomorrow, May 4th for use in the first stage of d.o release. Any additional reviews? Based on #69, to test, you may need to setup TFA locally. (Note, the PHP mcrypt extension is necessary)
@Mixologic, I think @drumm rebuilt the stage and I'm not certain of it's configuration. If your role is under the TFA setup requirement then that would prevent you from logging in even with a uli link. #2481253: Allow Drush uli login command to bypass TFA is a feature to allow drush-based logins but it's not blocking this deployment (IMO).
Additionally, I'm unable to ssh into devwww at the moment to check the setup. I'll ping in drupal-infra to troubleshoot it.
Comment #71
coltraneThanks to mlhess for assistance I was able to get into https://tfa-drupal.redesign.devdrupal.org/ and confirm the settings. No role is under the TFA requirement there.
@Mixologic, did you run drush uli 1? If so, please try again with your own UID. Otherwise please try again.
For anyone else interested in testing TFA on drupal.org stage site today please ping me in #drupal-contribute for a uli link for http://tfa-drupal.redesign.devdrupal.org/
Edit: http://tfa-drupal.redesign.devdrupal.org/ is now running TFA & TFA Basic development releases, which will soon be beta2.
Comment #72
drummI can confirm I was able to log in as Dries on dev. We shouldn't be locking him out of Drupal.org on deployment.
Comment #73
coltraneBeta 2 releases made:
TFA 7.x-2.0-beta2 - https://www.drupal.org/node/2482905
TFA Basic 7.x-1.0-beta2 - https://www.drupal.org/node/2482911
Comment #74
MixologicI should also comment here that I tried this out on the dev site, and tested all the typical paths (trusted browser, tfa app using google authenticator, used a recovery code) and the only problem I ran into was the drush issue.
Comment #75
drummCrossing off a couple of the deployment steps which are now done.
Comment #76
drummdrupalorg_crosssite is now updated too.
Comment #79
drummTFA is now enabled on staging.devdrupal.org.
Comment #80
drummThis has been deployed. The followup issue for giving everyone access to use this is #2483503: Let all confirmed users use two factor authentication.
Comment #81
gregglesSome quick queries show that 34% of the people who can enroll already have enrolled. That's...pretty awesome, as far as I'm concerned!
Comment #84
Ram_doss CreditAttribution: Ram_doss commentedI have installed TFA and TFA_BASIC module in my site. It seems to be working fine in local server with scanning bar code and setting up Application verification code and its says TFA is completed. Where as in the dev server same thing after applying application and submitting, throws me this error "Invalid application code. Please try again.".
Can i know what could have caused this issue in the dev server alone??
Server PHP Version 5.5.38
MBSTRING enabled in php.
Thanks in advance.