Deploy two-factor-authentication on drupal.org

I assume you want TFA 2.x with the tfa_basic plugins? Looking over the features this seems like a good approach.

tfa_basic provides two plugins for the TFA module, TOTP and "remember by browser". I have a recovery codes in a local plugin that I'll get on drupal.org soon.

I'm +1 for this feature. Would we be able to use Google Authenticator with the implementation being discussed?

+1 would love to see this implemented.

I am using Google Authenticator on a couple of different services and am really happy with it. I'd love to see the ability to have TFA via Google Authenticator on d.o. and am thrilled to see that @greggles and @coltrane have started to take some steps to create the contrib modules to handle this!

Can you clarify the last sentence in the first paragraph?

There are multiple free and Free options for creating TOTP codes on your phone or laptop such as Google Authenticator, FreeOTP.

Specifically, I don't understand the part that says "There are multiple free and Free options". I guess I'm not understanding the difference between "free" and "Free". Are you making the distinction between "free as in beer" and "Free as in speech"?

https://tfa-drupal.redesign.devdrupal.org/ is available for testing TFA 2.x-dev and TFA Basic 1.x-dev. It's been setup also with the recovery codes patch #2241621: Add "recovery codes" feature. The attached screenshots show how to enable TFA authenticator application for an account.

Steps to enable
1. Go to tfa-drupal.redesign.devdrupal.org and for htauth use drupal:drupal
2. Log in in with your d.o account credentials
3. Click the "TFA" tab on your account profile
4. Choose to setup two-factor authentication
5. Enter your password
6. Choose application setup
7. Install one of the recommended TFA applications (Google Authenticator, FreeOTP, etc) and scan the QR code or enter the code into your mobile application
8. Once entered your application will generate a 6-digit numeric code that you'll enter back into the TFA form

You should also save recovery codes. You can mark the current browser as trusted but note that you won't be subjected to TFA during log in of course, unless you use a different browser.

I'm working on this again with the plan to complete #2243871: [meta] Tracking next release (and ideally #2241821: Plan for TFA 7.x-2.2 release) in the next couple weeks.

https://tfa-drupal.redesign.devdrupal.org/ has been updated with latest work on TFA. The directions in the summary and #13 are correct.

I have feedback from webchick that will make it into TFA and TFA Basic issues but would really appreciate further review from folks who have expressed support thus far. @jyee @gdemet @vegantriathlete :)

I am trying to test https://tfa-drupal.redesign.devdrupal.org/ , but it asks for HTTP server authendication. Can anyone point me to certain testing policy or the requirements to get such access?

@skyredwang: drupal/drupal for username/password.

I'm unable to login with my normal account credentials on the dev site. Do I need to do a password reset?

Dev site DBs are nearly public, so we sanitize out both emails and password hashes. https://www.drupal.org/node/1018084 has some info on logging in. Basically, use drush uli.

Oy, I didn't realize/forgot passwords are sanitized on stage sites. I've updated the summary to say to ping greggles or myself for one-time login links.

@mlhess hooked me up with a login URL and I tested this a little bit. I'm going to have to wait until I get home to test with an actual smartphone - but I have some questions.

What is the plan for TFA for people without smartphones?

Personally, I have a box of smartphones I use for mobile testing, but I don't actually have a smartphone that I carry with me everywhere with telephone and internet service. :-) Is setting a "trusted browser" the plan to handle this?

I setup TFA on that demo site and set a trusted browser, however, when I login using a different browser, it goes through with just the password. Shouldn't it stop me, saying this browser isn't trusted (and maybe allow me to get in using one of the recovery codes)? My account page says that TFA is enabled:

... so I would have expected it to require more than just the password, even though I don't have a real TFA application setup. Or am I misunderstanding how this is supposed to work?

Thanks for testing @dsnopek!

"I setup TFA on that demo site and set a trusted browser, however, when I login using a different browser, it goes through with just the password."

I haven't been able to replicate this. When I setup TFA and set my current browser as trusted then try to log in from a completely different browser I'm presented with the TFA form after entering my name/password. Can you detail your steps please? I'm also available on IRC and/or Google Hangout for walking through your process. Thanks!

"What is the plan for TFA for people without smartphones?"

This definitely assumes people have a smartphone. There are some desktop solutions for TOTP, would you be willing to try them out?

• https://github.com/gbraad/html5-google-authenticator
• https://marketplace.firefox.com/app/gauth-authenticator/
• https://github.com/mclamp/JAuth

The "trusted device" is not currently an option for 2nd factor sign-in. It's only a means to avoid TFA on *every* sign-in.

"I setup TFA on that demo site and set a trusted browser, however, when I login using a different browser, it goes through with just the password."

I haven't been able to replicate this. When I setup TFA and set my current browser as trusted then try to log in from a completely different browser I'm presented with the TFA form after entering my name/password. Can you detail your steps please? I'm also available on IRC and/or Google Hangout for walking through your process. Thanks!

I think the difference is that I enabled TFA, but with out doing the "Setup application" stuff because I'm smartphone-less, only setting a trusted browser. When I have a chance, I'll try setting up one of the desktop solutions you referred to and then see if that causes it to ask for further authentication.

Anyway, if my guess is right, then it probably means the TFA code should be changed to kick in with just a trusted browser, even without an application setup, to make things easier for the smartphone-less. :-)

Ok, I tried the Firefox addon here:

https://marketplace.firefox.com/app/gauth-authenticator/

And it works great! Now that I understand how this works (hey, it's time based!) having never tried the TFA module before, this seems like a totally fine way to work for those without a smartphone. :-)

https://tfa-drupal.redesign.devdrupal.org/ has been updated with improvements to the set up process and account overview page. You can see a screenshot of the overview page in the attachment.

Can the menu item be named something non-acronym? TFA isn't something I'd expect people to know offhand.

Thanks for the feedback drumm! Yes, you can follow progress on the tab name at #2320705: Name of TFA tab?. I'll reference your comment there.

Tagging Software Working Group for review based on https://www.drupal.org/governance/drupalorg-working-groups/software

edit, also the name of the tab has changed from "TFA" to "Security"

After set up, I made a few tests:
1. login with a mobile authenticator -> works
2. login with a recovery code -> works
3. login with a used recovery code, got rejected -> works

But, "View unused recovery codes" feature is a big security risk, which allows people to steal others' codes/access easily. (For example, use someone's computer when this persion is away). The easy solution is, like Google, Github, Linode, etc, once the recovery codes are generated, they are no longer viewable (Not sure if we need to encrypt the recovery codes).

I made another test. I can get in without proper access. I will report this secuirty problem via proper channel.

If the "View unused recovery codes" was behind a password prompt would that mitigate showing them?

https://tfa-drupal.redesign.devdrupal.org/ has been updated with latest work in TFA Basic (patches #2325409: Improve UX of set up and #2324159: Provide optional SMS plugin using Twilio*) which improve the UX of setup and implementing password control on viewing recovery codes.

* Note, while the SMS plugin is available it's not enabled.

I didn't have a TFA tab. I need to click Security.

Here is the successful setup.

Here is the successful prompt for the authentication code.

With the exception of needing to click "Security" instead of "TFA", the process worked beautifully for me!

I have not tested marking a browser as trusted. Nor have I tested using one of the recovery codes. Would you like me to test either / both of those?

FWIW: I am happy having the intermediate password prompt when clicking Reset application, Set trusted browsers, View unused recovery codes, Get new recovery codes and Disable TFA.

Hi All,

Where does this stand at the moment and is there anything the infra team can do to help its progress?

I am not sure if having more people would help or hurt at the moment and wanted to check.

Thanks.

-N

If drupal.org deployed now and #2339449: Use better encryption and random source made it in then upgrading would break TFA for any user (because stored data would decrypt differently). If that's an acceptable annoyance (or if someone can assist with an update path) drupal.org could deploy now, otherwise it seems best to wait for a beta2. I unfortunately don't have a estimated delivery time for that.

Fixing tags.

I think Drupal.org should also have support for the "U2F" ("Universal-Two-Factor") authentication standard that earlier this year was established by the FIDO alliance.

Ref. the FIDO alliance supporting members list:
https://fidoalliance.org/membership/members

(extracted a few well-known names...)

• Google
• Microsoft
• Samsung
• Paypal
• VISA
• MasterCard
• Alibaba/Alipay (China)
• Bank of America
• Netflix
• ARM
• Blackberry
• Qualcomm
• Yubico
• (and many more)

Demo video:
https://fidoalliance.org/adoption/video/yubico-fido-u2f-simple-secure-login

When many people now can use the same 2FA security token to secure their accounts with both Google, Paypal, Alipay, etc., as well as also easily for their individual Drupal sites using a Drupal contrib module, then I would think it be wise to avoid forcing people to choose between two different standards.

Therefore, I think it would be good if drupal.org not only support (require) TOTP, but also the U2F standard, which seems to be THE way forward. It seems that it is just a matter of a feature decision for the TFA module to also support U2F.

Notice also a significant flexibility detail between the two standards, where the latter does not require time stamp, meaning that the U2F standard supports security tokens that not need a battery. This is quite important. Then each of the security token devices can last much longer. One of the available U2F devices comes with 10 year warranty already.

Google just opened their U2F Security Key support for Gmail and Google Accounts earlier this week:

http://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-ve...

Gmail U2F demo video:
http://vimeo.com/109365425

I finally got around to test this on the dev site. Great work! I used the Firefox Gauth Authenticator, it worked fine.

Now some questions and comments:
1. How will this affect password reset process, specifically one time login links?

2. What options are there if a person for some reason doesn't have the verification device and recovery codes anymore? What's the way to get in their account?

Some UI related stuff:
3. Once you start TFA setup, page title changes to TFA setup, Profile menu is gone, however Profile / Posts / Commits menu is still there, which looks kinda confusing.

4. The list of available applications inside of TFA setup only lists mobile ones, no desktop ones:
Google Authenticator (Android/iPhone/BlackBerry)
Authy (Android/iPhone)
Authenticator (Windows Phone)
FreeOTP (Android)

5. Can the links above have target="_blank"? Currently if you click on one of them, and then go back in your browser, you get page expired message.

6. When entering recovery codes, can we add a hint about their format to the text? Due to spaces in those codes it can be a little bit confusing.
So e.g.:
Enter one of your recovery codes (XXX XX XXX)

7. Most of the TFA related pages could use some margins between different paragraphs of text, form elements, buttons.
e.g.

8. It would be good to add some styling to the TFA setup page. Make headers bold, action links - buttons, ul list to have bullet points, and some spacing between different elements.
E.g.: https://www.drupal.org/files/issues/tvn___tfa_drupal_dev.jpg

9. Lastly, and this is totally minor. In this text:
"With TFA enabled, you sign on to the site with a uniquely generated code in addition to your username and password."
as a non-native speaker, for me personally "sign on to the site" is somewhat confusing. "Log in to the site" is much more understandable, or at least "sign in to".

Thanks again for all the work on this!

The dev site is pretty old and a lot of stuff got deployed on Drupal.org in the mean time. I think first step to prepare this for deployment would be to rebuild the dev site and configure TFA on up-to-date copy of Drupal.org.

#51: great review — looking forward to being able to use this :)

(comment edited, responding to your questions)
@tvn, thanks so much for your review! Hugely helpful to have your feedback. Marking this back to needs work.

1. How will this affect password reset process, specifically one time login links?

2. What options are there if a person for some reason doesn't have the verification device and recovery codes anymore? What's the way to get in their account?

1. One time login links get a user past the first step of authentication but they are still required to go through the TFA code entry process to sign in

2. The best way is to contact an administrator to reset their access. #2326253: Provide help page plugin is a proposal to assist with that.

Many of your suggestions will likely be handled within the TFA Basic project. I've made note of your comment in #2243871: [meta] Tracking next release and will create issues after going through in more depth.

I suspect some the theme-related points may require work within the drupal.org theme. I can probably do that would be quicker to have assistance from someone more familiar with the theme and css.

And besides these new issues, TFA and TFA Basic are almost ready for a new tag. I have some local code for #2327441: Improve context management and dependency handling with plugin injection that I hope to have submitted for review in the next couple weeks.

I'll also rebuild the dev site soon if no one else gets to it first.

I rebuilt http://tfa-drupal.redesign.devdrupal.org/ after getting devwww access again (thanks to drumm and basic` for their assistance).

http://tfa-drupal.redesign.devdrupal.org/ is running latest tfa and tfa_basic dev releases and applied patches:

• drupalorg module for tfa permission https://www.drupal.org/node/2402911
• TFA https://www.drupal.org/node/2327441
• TFA basic https://www.drupal.org/node/2376633

To-do's from #53 still stand tho the meta issues of TFA and TFA Basic have some progress.

When will there be a module for Drupal 8?

Thanks

@teachermac; this issue is for the implementation at drupal.org, which is using D7 fore the foreseable future.
Follow this issue in the TFA queue instead for your D8 question:
#2307785: Port TFA to Drupal 8

Untagging, DSWG reviewed this during our monthly call this week. We do think this is a great idea. Since it is already recognized at the official D.o roadmap (https://www.drupal.org/roadmap) under Community initiatives, no further actions from DSWG are required. We'd recommend 'd.o two factor auth' tag is added to all related issues to make it easier to see the scope of the initiative.

Thanks tvn! I appreciate the sign-off.

The theme-related suggestions from #51 are something that may require another set of hands to help with or at least more research from me on how to implement. If anyone subscribed to this issue is interested in assisting with it and wants to triage any drupal.org theme changes and work on them please, by all means, do!

Moving to drupalorg since there will be permissions changes. (Those are in a Feature now.)

Updating issue summary

Once you start TFA setup, page title changes to TFA setup, Profile menu is gone, however Profile / Posts / Commits menu is still there, which looks kinda confusing.

http://cgit.drupalcode.org/drupalorg_crosssite/commit/?id=10a2f730cec96f... hides the Drupal.org section navigation on these pages.

With #2480577: Improve UI for main Security tab, and the last commit here, the main UI looks like this:

This is looking good to me, and is scheduled for deployment on Tuesday.

The initial deployment will let users with these roles use TFA: Full HTML user, Git administrator, administrator, security team, testing administrator, user administrator.

Excellent!

Before next TFA tag I would like to get #2329867: Prevent the re-use of TOTP codes committed. Any review of that is appreciated.

Since this is only deploying for a limited set of people I'll make the next tag a beta2.

Additionally I'll expand documentation on drupal.org as part of #2273603: Document require TFA and UX challenge

Found an interesting issue. I tried to drush uli on the tfa-redesign site, but am getting the following message:

https://www.dropbox.com/s/5q0thbrjzfaosws/Screenshot%202015-05-02%2008.3...

Pending any further review and issues, I'm planning to tag beta2 for TFA and TFA Basic modules tomorrow, May 4th for use in the first stage of d.o release. Any additional reviews? Based on #69, to test, you may need to setup TFA locally. (Note, the PHP mcrypt extension is necessary)

@Mixologic, I think @drumm rebuilt the stage and I'm not certain of it's configuration. If your role is under the TFA setup requirement then that would prevent you from logging in even with a uli link. #2481253: Allow Drush uli login command to bypass TFA is a feature to allow drush-based logins but it's not blocking this deployment (IMO).

Additionally, I'm unable to ssh into devwww at the moment to check the setup. I'll ping in drupal-infra to troubleshoot it.

Thanks to mlhess for assistance I was able to get into https://tfa-drupal.redesign.devdrupal.org/ and confirm the settings. No role is under the TFA requirement there.

@Mixologic, did you run drush uli 1? If so, please try again with your own UID. Otherwise please try again.

For anyone else interested in testing TFA on drupal.org stage site today please ping me in #drupal-contribute for a uli link for http://tfa-drupal.redesign.devdrupal.org/

Edit: http://tfa-drupal.redesign.devdrupal.org/ is now running TFA & TFA Basic development releases, which will soon be beta2.

I can confirm I was able to log in as Dries on dev. We shouldn't be locking him out of Drupal.org on deployment.

Beta 2 releases made:

TFA 7.x-2.0-beta2 - https://www.drupal.org/node/2482905
TFA Basic 7.x-1.0-beta2 - https://www.drupal.org/node/2482911

I should also comment here that I tried this out on the dev site, and tested all the typical paths (trusted browser, tfa app using google authenticator, used a recovery code) and the only problem I ran into was the drush issue.

Crossing off a couple of the deployment steps which are now done.

drupalorg_crosssite is now updated too.

TFA is now enabled on staging.devdrupal.org.

This has been deployed. The followup issue for giving everyone access to use this is #2483503: Let all confirmed users use two factor authentication.

I have installed TFA and TFA_BASIC module in my site. It seems to be working fine in local server with scanning bar code and setting up Application verification code and its says TFA is completed. Where as in the dev server same thing after applying application and submitting, throws me this error "Invalid application code. Please try again.".

Can i know what could have caused this issue in the dev server alone??

Server PHP Version 5.5.38
MBSTRING enabled in php.

Thanks in advance.