Bill OttmanSecure Auth
Enhanced TOTP Authentication to allow users more, and better methods of authentication for both web and mobile.
added issue engine#274
mentioned in epic &35 (closed)
![Mark Edworthy](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200"><rect fill-opacity="0"/></svg>)
@ottman, Again I see that you are posting epic topics without including any actual descriptive information and only providing a very vague title. Whilst I do understand and appreciate the time constraints that you may have, I also understand that it does not take more then 10 minutes at the most (and usually a lot less) to provide actual information about said topic.
I am afraid to say that this ongoing limiting of good administration housekeeping procedures may actually discourage further support and collaboration from the wider community (which is something that none of us would like to see and would want to limit as much as possible, with the aim to encourage further participation within the development and support of the Minds.com project). Also it is worth noting that we all want to encourage further transparency within the Minds.com project and this form of extreamly limited information could be considered as promoting the idea of a lack of wider transparency.
However, irrelevant of the above critique (which has been provided within the spirit of good faith and with the aim of wanting to improve support of the overall project), as you might be aware, within various previous Help and Support (H&S) enquires, I have been providing replies which have attempted to provide information about why the existing Sort Messaging System Two Factor Authentication facility (SMS 2FA) has not been as successful as originally expected and could be considered as being more of a problem for users that may have limited Global System for Mobile communication (GSM) coverage (I am providing a URL to one of the H&S enquiries that I have provided a reply to -- see below).
I am extreamly encouraged and pleased to see that the Time-based One-Time Password algorithm (TOTP) based 2FA idea is now being seriously considered as a replacement for the existing SMS 2FA functionality.
Reference:
Edited by Mark Edworthychanged title from to
-
https://fidoalliance.org/ thoughts?
-
@ottman As far as I can see, FIDO-U2F and FIDO2 specifications require an extra end-user hardware solution for authentication (ie. the usage of a Yubikey or other interface / device) which may not be readily available to the end-user.
Also, the FIDO-U2F and FIDO2 specifications currently seems to be browser restrictive (ie. fully compatible only with certain browsers) and by using FIDO-U2F / FIDO2 styled authentication, Minds will be further restricting browser accessibility (as I have stated previously, it should not generally be determined by an Internet based platform provider, ie. Minds Inc, which browsers and / or devices the end-user should or should not be using. This is even more of an issue when the Internet based platform provider is trying to promote open source ideals and end-user / consumer choice).
On a final note, the OATH-TOTP specification is a recognised IETF (Internet Engineering Task Force) standard (RFC6238), whereas FIDO-U2F / FIDO2 specifications are not formally recognised by the IETF.
Edited by Mark Edworthy -
Hey, which open source framework do you recommend as an authenticator?
-
@ottman, Apologise for not replying to this sooner but unless you include the relevant users alias / tag within the comment, the user will not necessarily be notified about said feedback (for future reference, please remember to include users tags within corresponding comments. @luculent, thanks for notifying me about Bill's latest question).
As far as frameworks are concerned, I would suggest promoting the FreeOTP project to the users, so that they can interact with the optional TOTP framework as part of the authentication process).
For the backend framework, I suggest looking at the following open source projects (I have not fully reviewed these projects, so am not sure about the suitability of incorporating any of these within the existing Minds frameworks).
Reference:
-
multiOTP (AGPL)
https://github.com/multiOTP/multiotp -
OTPHP (BSD / MIT License)
https://github.com/Spomky-Labs/otphp -
TwoFactorAuth (BSD / MIT License)
https://github.com/RobThree/TwoFactorAuth -
FreeOTP (Apache 2.0 License)
https://freeotp.github.io
Edited by Mark Edworthy -
-
thank you. we will review your links. @benhayward.ben @edgebal @msantang78 @eiennohi @brianhatchet @ramialbatal @markeharding
Thanks for your time and effort @medworthy. All look nice at a glance, I believe the best course of action from here would be for us to conduct a more objective analysis, so I've spawned a task here so that we can keep that separate and allocate it properly internally. engine#434
mentioned in issue minds#493 (closed)
changed the description
changed the description
changed start date to Mar 10, 2020
changed finish date to Apr 21, 2020
![:dragon_face:](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="64" height="64"><rect fill-opacity="0"/></svg> ":dragon_face:"){kind=small}
