MFA/2FA for accounts and login

[redtrillix]

So out of curiosity, how hard would it to add Multi-Factor Authentication when trying to log in, I use it all the time for other services and could see it improving security a lot.

I have no idea of implementing it or how hard it is to implement so I'd like to hear though for it.

[rejetto]

well, i guess it really depends on what is the second factor, plus the work to integrate it in the authentication system.
Email would require the admin to configure an smtp server, I guess?
SMS, an external service for it.
For Google Authenticator-like systems I guess there's nothing to pay, but users should install an app.
Face recognition could even be an option, no cost/apps/services.
So, a wild guess could be 10 hours of work.

[rejetto]

btw, thanks for your support :)

[redtrillix]

I was thinking the Google Authenticator, Authy, Microsoft Auth App's method.

I would say that is the best combination of ease-of-use and security, I assume all they would have to do is scan a qr code or enter the text phrase to add the account, and i know a few people already use the MFA app method.

Regardless, it sounds like a lot of work to develop something like that, i was just putting the idea out there.

[rejetto]

yes, it's interesting, and i hope to see it in the future, but since there is a lot of much more basic stuff missing, i wouldn't hold my breath.
And, of course, other people are welcome to try in the meantime.

[redtrillix]

This is true, i may have a look at it some time.
I appreciate the work you're doing tho.

[redtrillix]

I came across issue #773 and decided to give this another try. Using a bit of GitHub Copilot, I was able to put together this plugin which sorta works: /~https://github.com/redtrillix/hfs3/blob/dev/plugins/totp-mfa/plugin.js.

The plugin generates a TOTP code and listens for the attemptingLogin event to verify the code. However, I'm not entirely sure what your current login system uses for this process.
Ideally, the best approach would be to have a separate field for the TOTP code during login, or to prompt for the TOTP code after the username and password are entered.

At the moment, you need npm, and navigate to the totp-mfa plugin folder, then run npm install speakeasy qrcode.
Then you can navigate to hxxp[:]//localhost/mfa-setup/ to generate the qr code in your authenticator app.

File: totp-mfa-plugin.zip

[rejetto]

interesting project!
so you'd want to add extra information in the login form, right?
atm there's "beforeLogin", that you may use to expand the form visually, but it would still not send extra information.
the standard (hfs) login is a 2-step process (SRP), but i think that you should work on first step (request "loginSrp1"), when only the username is sent.
i can manage to gather this extra data and pass it from the browser within the loginSrp1 request, and then the extra data will be passed to attemptingLogin so that you can use it.
This data would be passed as sibling of "username", with the name you decide (totp?), and you don't need to take it from body.
I'm available to add the missing pieces, and send you a newer hfs so that you can see if it suits you. What you think?

[redtrillix]

Yeah an extra field on login, that sounds excellent.
I'm down to test it and see where we get.

[redtrillix]

Made a separate repo if it helps: /~https://github.com/redtrillix/totp-mfa/
Probably needs a better name though.

[rejetto]

attemptingLogin is triggered before any check (existence, password, enabled).
i'm not sure this is the moment you should check TOTP.
maybe it should be done after other checks, with another event?

[rejetto]

ok confirmed,
i'm introducing a new finalizingLogin event, and you will get "username" but also "inputs", where you can access your custom field.
If you have this:

exports.customHtml = {
    beforeLogin: `TOTP <input name=totp />`
}

you will access inputs.totp.

this version for you to test hfs-windows-x64-0.57.0-alpha0.1.zip

[rejetto]

this version has some important fixes hfs-windows-x64-0.57.0-alpha0.2.zip