Multi-factor authentication (FHCA-2034)

Description

This ticket to research and implement multi-factor authentication.

The whole process must be able to be managed consuming web services.

Environment

None

Activity

Carlos Ruiz October 28, 2021 at 10:24 AM

Reopening to fix two issues:

1 - when using the MFA with a System user (like SuperUser) the registration must be done in the user tenant, at this moment the SuperUser needs to register MFA in every tenant and that's undesirable, some tenants will login without MFA

2 - when a user has already a device registered the default to re-register must be to extend the registration

Carlos Ruiz June 8, 2021 at 12:09 PM

Documenting possible future improvements:

  • configurable tenant enforce MFA (None, Advanced Roles, Everybody)

  • force MFA registration on login when required

  • implement notification to user on failed MFA attempts with IP address (or geolocation), maybe configurable after how many failures (default 2) - and the mechanism to notify (Notice / EMail / Login Broadcast)

  • trigger MFA validation in more events - at this moment is just on login, but could be triggered for example when changing password or other certain critical security events

  • some sites recommend (others say is bad) to implement an IP whitelist (for example the corporate VPN)

  • some sites recommend (others say is bad) to implement recovery codes with the TOTP mechanism

  • some sensitive information is probably being left in process audit logs, implement a way to clear or obfuscate that

Carlos Ruiz June 7, 2021 at 8:30 PM

Thanks - committed

  • Implement an incremental delay in zk when the validation code is wrong (to avoid brute-force attacks)

  • ensures one-time only use of an OTP

  • Log failures in AuthFailure.log

It’s already deployed to https://test-feature.idempiere.org:3243

Ricardo Alexsander Santana June 7, 2021 at 5:12 PM

Another thing to consider is to log failed login attempts to AuthFailure.log. I checked there and my attempts to login using wrong codes were not logged.

Carlos Ruiz June 7, 2021 at 5:05 PM

Thanks ,

Indeed that’s part of the IETF standard RFC 6238:

Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

I just missed that part, thanks for calling my attention there, will implement it a.s.a.p.

Regards,

Carlos Ruiz

Fixed

Details

Assignee

Reporter

Fix versions

Priority

Created May 6, 2021 at 6:38 PM
Updated August 11, 2022 at 9:20 PM
Resolved October 29, 2021 at 10:15 AM