Two factor authentication

medworthy · May 7, 2016, 7:51pm

It would be nice to secure the administration UI with some sort of two factor authenticity (such as the inclusion of Authy or Google 2FA APIs) – I realise that this would require a separate profile / password management UI / tool for the end-users, but I never liked the idea of having the end-user changing their passwords within the same UI that allows for the administration of that server.

Walter_Schoenly · June 6, 2016, 6:56pm

I am interested in this as well, but with a broader approach. It would be nice to have Two factor configuration interface for Proxy Pass and Webpage configuration as well. Thus allowing you to add authentication to anything that is hosted/proxy’ed through NS.

(I realize that this my be a big ask, but security issues are on the rise and passwords are losing effectiveness.)

Jim · June 6, 2016, 7:02pm

Hi,

Why?
I hope you access your server ( wich is in a secure place ) by the LAN side.

and if you need to access by the WAN side, to pass by a VPN ( your VPN ).

A Nethserver instance is different from a “public” service like Google or Facebook…
It’s your private service… So I don’t understand very well the two factors authentication

Walter_Schoenly · June 8, 2016, 8:30pm

I couldn’t speak specifically to Medworthy’s reasons, but I would assume that he would be concerned as I am that in this modern age even strong passwords are no longer sufficient in securing account either external or internal.

In addition, I would like to present web services or pages externally secured with Two Factor with out the need for a VPN. This trims down the amount for required software needed. I would just need a web browser rather than both a browser and a VPN Client.

Here is a crash course on Two Factor Authentication (2FA)

fasttech · June 8, 2016, 11:18pm

So you’d rather have 2 pieces of hardware? VPN lets you securely access any resource on the network… having a hard time understanding your logic.

Walter_Schoenly · June 9, 2016, 2:07pm

Well, I’m not sure you have evaluated that correctly. First thing is that one form of 2FA is where the code is Emailed to you. In that case you would not require a 2nd device. However, yes, I would opt for a phone token or the like. You appear to be inferring that I now have to carry something else with me. However, this is no disadvantage for me as I always have my phone with me.

Password only security is beginning it’s end of life. Google, Microsoft, Facebook, Coinbase, and much of the corporate world have 2FA options in place because of how commonplace password breaches have become. While 2FA is not foolproof it is significant step up in the order of difficulty to defeat.

VPN is a great tool, but how are you authenticating that VPN? I believe the current setup is to use certificate based authentication with password as well. VPN authentication is in fact another opportunity to utilize 2FA. Many of the companies I have worked for use 2FA to secure their VPN, and I think that would be another good option as well.

Even with the current implementation, If you or I are out at another location without our own laptop or PC how are you planning on using your VPN? I assume you would be able to download the VPN software to whatever you have available, but do you have your VPN cert on you? If you carry your cert on a USB key for this occasion, would that not count as a 2nd device? You can keep it on a cloud account, but now your VPN is at the mercy of the security of the cloud provider. That might be a solution you are comfortable with, but does that mean I have to be comfortable with it as well?

All that to say, I would like to have the option for incorporating a higher level of security.

fasttech · June 9, 2016, 5:31pm

Singular example, I run a vpn client on my ‘phone’, it’s set for full tunnel, the phone has a browser and a cli client, if I don’t want to use the phone to work, I turn on the phone’s hotspot feature and connect a laptop to it.

Personally, I have much more interest in using 2fa against my owncloud installs than against my server admin page.

Walter_Schoenly · June 9, 2016, 5:48pm

Ahh, well there you have it…You are carrying your 2nd device already.

My desire is to have 2FA available for as much as possible, but not just the admin interface. For owncloud or any other webpage I would hope to have 2FA in place through the proxy pass.

Jim · June 9, 2016, 5:56pm

I really don’t like the maneer:

To connect to your private server, to depend to a Google API
It’s not logical.

In the case to connect to a Google service, okay, it’s acceptable.
To connect to a private service, I don’t think.

It’s only my opinion

fasttech · June 9, 2016, 6:02pm

What?
I have one device, for auth and work.

Walter_Schoenly · June 9, 2016, 7:12pm

You have to carry you phone with you to use your VPN. All I need for two factor is to carry my phone with me. So 2FA requires nothing more than what you already have with you normally.

You can interpret this two ways.
(1) You use your phone to access whatever (via VPN or 2FA) and therefore need on one device for either option.

(2) You use your phone to link a computer to your VPN and you are using two devices. I am using the phone to authenticate my access via a computer and I am using two devices.

Walter_Schoenly · June 9, 2016, 7:13pm

You are running under the assumption that you need to depend on Google to supply you with the service of 2FA. This is false. There are 2FA implementations that can be run within your own environment.

Examples:

https://www.linotp.org/

fasttech · June 9, 2016, 7:38pm

You’re really confusing me, but then I’m a simpleton, so there you have it.

You need 2fa auth and a working environment, that’s one device and two software programs, plus the os and all the packages necessary to run your two software packages. How would you propose to trim that any farther?

I have a vpn client and a working environment (browser and or ssh client) on one device, I also have a 2fa app on said device but whatever.

It sounds like you only want to open the browser on your device, nothing more, which you can do because using the browser you can log into your email service to obtain your token for the other service you want to access using the same browser. Now, I would assume, since you’re all about security, that you would also have 2fa on your email service… that would require you to have some way of getting the token… like another software program… which takes you back to a minimum of two programs to interact with… if you really want to be secure.

So, I have to assume I’m not ‘getting it’, and we can just leave it at that.

Walter_Schoenly · June 10, 2016, 2:12pm

Well if you recall correctly, I said I would opt for the code generation on my phone rather then using the email service. So I would auth to everything from my phone. One device with one piece of software. The advantage is, I can go to a web browser on any system and get to any of my services. No VPN software or certificates.

I feel at this point that I have adequately explain the advantages and benefits to 2FA. I feel like you are arguing with me to prove that you have a better system of access. If your VPN setup is working and your comfortable with it then I am certainly not going to argue with you to change it. If I want to secure everything with 2FA then I would hope you would afford me the same courtesy.

fasttech · June 10, 2016, 4:13pm

I’m sorry you feel that way, I doubt anyone here needs an explanation of the benefits of 2fa, personally, I and my clients have many instances of both 2fa and cert based access to many services and installations. I thought I made it clear that I was trying to understand how you proposed to minimize your use of hardware and software to access your services. Sorry I bothered you.

Walter_Schoenly · June 10, 2016, 4:54pm

Apology accepted. Forum posts can be hard to read in terms of tone. I welcome honest questions and it sounds like that is what we have here. I imagine I was overly sensitive.