Multi-factor authentication (FHCA-2034)
Description
Environment
causes
relates to
Activity
Carlos Ruiz October 28, 2021 at 10:24 AM
Reopening to fix two issues:
1 - when using the MFA with a System user (like SuperUser) the registration must be done in the user tenant, at this moment the SuperUser needs to register MFA in every tenant and that's undesirable, some tenants will login without MFA
2 - when a user has already a device registered the default to re-register must be to extend the registration
Carlos Ruiz June 8, 2021 at 12:09 PM
Documenting possible future improvements:
configurable tenant enforce MFA (None, Advanced Roles, Everybody)
force MFA registration on login when required
implement notification to user on failed MFA attempts with IP address (or geolocation), maybe configurable after how many failures (default 2) - and the mechanism to notify (Notice / EMail / Login Broadcast)
trigger MFA validation in more events - at this moment is just on login, but could be triggered for example when changing password or other certain critical security events
some sites recommend (others say is bad) to implement an IP whitelist (for example the corporate VPN)
some sites recommend (others say is bad) to implement recovery codes with the TOTP mechanism
some sensitive information is probably being left in process audit logs, implement a way to clear or obfuscate that
Carlos Ruiz June 7, 2021 at 8:30 PM
Thanks - committed
Implement an incremental delay in zk when the validation code is wrong (to avoid brute-force attacks)
ensures one-time only use of an OTP
Log failures in AuthFailure.log
It’s already deployed to https://test-feature.idempiere.org:3243
Ricardo Alexsander Santana June 7, 2021 at 5:12 PM
Another thing to consider is to log failed login attempts to AuthFailure.log. I checked there and my attempts to login using wrong codes were not logged.
Carlos Ruiz June 7, 2021 at 5:05 PM
Thanks ,
Indeed that’s part of the IETF standard RFC 6238:
Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
I just missed that part, thanks for calling my attention there, will implement it a.s.a.p.
Regards,
Carlos Ruiz
This ticket to research and implement multi-factor authentication.
The whole process must be able to be managed consuming web services.