Patch #1237

Add support for one time passwords or two-factor authentication

Added by Sam McCoy almost 10 years ago. Updated 17 days ago.

Status:Needs feedbackStart date:2008-05-14
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:4.1.0

Description

Please add support for a one time password service, such as Yubikey, and add the ability to authenticate against a two-factor authentication system (as in RSA SecurID).

0002-2-factor-authentication-disabled-enabled-required.patch Magnifier (13.8 KB) Felix Schäfer, 2018-01-02 18:42

0001-2-factor-authentication-using-TOTP.patch Magnifier (30 KB) Felix Schäfer, 2018-01-02 18:42

0003-Backup-codes-for-2-factor-authentication.patch Magnifier (18.8 KB) Felix Schäfer, 2018-01-02 18:42

2fa-setting@2x.png (55.4 KB) Go MAEDA, 2018-01-04 07:30

2fa-my-account@2x.png (45.5 KB) Go MAEDA, 2018-01-04 07:34

2fa-enabling@2x.png (26.1 KB) Go MAEDA, 2018-01-04 07:35

2fa-enter-auth-code@2x.png (15.4 KB) Go MAEDA, 2018-01-04 07:39

ja-translation-2fa.diff Magnifier (4.21 KB) Go MAEDA, 2018-01-29 05:19


Related issues

Related to Redmine - Feature #699: OpenID login Closed 2008-02-20

History

#1 Updated by Thomas Lecavelier almost 10 years ago

Good idea. Since OpenID (#699) should be implemented too, it could be an idea to build a plugin system for authentication, to help introduction of a new authentification systems.

#2 Updated by Etienne Massip over 6 years ago

  • Category set to Accounts / authentication

#3 Updated by Nathanael Hansen over 3 years ago

+1 for dual-factor authentication support

Thanks!

#4 Updated by Blagoy Chepelov about 3 years ago

+1 for two factory auth, YubiKey for instance it is open source and well documented

#5 Updated by Ouss Orange over 2 years ago

+1 for Two Factory Authentication support

#6 Updated by eric c over 2 years ago

+1 for Two Factory Authentication, maybe using the one-time-password with the Google Authenticator App

#7 Updated by Stephen Yeargin almost 2 years ago

This page (http://developers-club.com/posts/168063/) describes a potential method of using a low-level service to achieve this. It looks fairly complicated to set up, but it may help somebody. Would love to hear if it works.

#8 Updated by Fabián Rodríguez over 1 year ago

There is a plugin for 2FA including support for SMS, Telegram and authenticator apps:
http://www.redmine.org/plugins/redmine_2fa

#9 Updated by Felix Schäfer 4 months ago

Please find attached a proposed 2-factor authentication implementation for Redmine. The core logic for the TOTP scheme is implemented using the rotp gem.

The first of the 3 attached patches is an extendable implementation of 2-factor authentication including a default TOTP scheme. The second patch adds an option to require, optionally enable or disable 2-factor authentication for all users. The third patch adds support for creating and using backup codes.

The feature is implemented so that new 2-factor authentication schemes other than TOTP can easily be added, for example in a plugin. All scheme-specific localisation strings have a __#{scheme}__ identifier, generally this is easier to do with namespaces, i.e. twofa.#{scheme}.some_string instead of twofa__#{scheme}__some_string, but the current Redmine tooling only supports top-level localisation keys.

Please furthermore note that the base 2-factor authentication is structured so that it can accommodate computed second factors (TOTP, HOTP, Keyfobs, …) or sent second factors (sending the code via SMS, telegram, …). Those sent second factors can contain a link with the code as query parameter so that the user can click on the link instead of copying the code into the text field in Redmine, which is why all actions that accept a 2-factor authentication code are also available via the GET verb.

We have rolled out this feature to Planio a few weeks ago, the customers that use this feature have been happy with it so far.

Last but not least, we have created a plugin implementing a 2-factor email scheme to demonstrate how additional schemes can be implemented, and how a scheme sending the one-time-password instead of using a generated one can work with the patches proposed above. Please note that this plugin is only for demonstration purposes and should probably not be used in production, refer to the "Security considerations" section of the README for more details.

#10 Updated by Jan from Planio www.plan.io 4 months ago

  • Target version set to Candidate for next major release

#11 Updated by Jan from Planio www.plan.io 4 months ago

  • Tracker changed from Feature to Patch
  • Status changed from New to Needs feedback

#12 Updated by Go MAEDA 4 months ago

Thank Felix and Planio for sharing the patch. I think this is an outstanding enhancement because 2FA is helpful to keep accounts secure and it is a must-have feature for modern cloud-based applications. Many users should welcome this feature.

I tried out the patch. It works very fine.

2FA is optional by default. Users can choose whether to use 2FA or not:

Users can enable 2FA on "My account" page:

Enabling 2FA:

One time password is required as well as login id and password when you sign in:

#13 Updated by Go MAEDA 4 months ago

  • Target version changed from Candidate for next major release to 4.1.0

Setting target version to 4.1.0.

#14 Updated by Mayank Ahuja 3 months ago

What is the release date of 4.1.0. any tentative dates ?

#15 Updated by Go MAEDA 3 months ago

  • File ja-translation-2fa.diff added

I have translated messages on this patch.

#16 Updated by Go MAEDA 3 months ago

This is an updated Japanese translation. There were 2 untranslated strings in the previous patch.

#17 Updated by Go MAEDA 3 months ago

  • File deleted (ja-translation-2fa.diff)

#18 Updated by Go MAEDA about 1 month ago

Felix, could you add tests for this feature?

#19 Updated by Enziin System 17 days ago

Thanks Felix!

When applying for the admin account, everything is OK.

But if I applying for normal account user, its error.


Started POST "/my/twofa/totp/activate/init" for 127.0.0.1 at 2018-04-10 06:15:23 +0000
Processing by TwofaController#activate_init as HTML
Parameters: {"authenticity_token"=>"Yf7MaaWDeovRvA9IoRYE7hyAZs6aWjgvKB1ELuytNPfzuhN0IhwcIzWQ+df6llld8ksBuclPKCVepCwo0OsAhA==", "scheme"=>"totp"}
Current user: kevin-nguyen (id=6)
Redirected to https://www.enziin.com/my/twofa/totp/activate/confirm
Completed 302 Found in 73ms (ActiveRecord: 12.5ms)
Started GET "/my/twofa/totp/activate/confirm" for 127.0.0.1 at 2018-04-10 06:15:23 +0000
Processing by TwofaController#activate_confirm as HTML
Parameters: {"scheme"=>"totp"}
Current user: kevin-nguyen (id=6)
Rendered twofa/totp/_new.html.erb (422.5ms)
Rendered my/_sidebar.html.erb (14.1ms)
Rendered twofa/activate_confirm.html.erb within layouts/base (459.4ms)
Completed 500 Internal Server Error in 478ms (ActiveRecord: 10.3ms)

ActionView::Template::Error (No route matches {:action=>"destroy", :controller=>"twofa", :scheme=>"totp"}):
4: <%=l(:field_created_on)%>: <%= format_time(@user.created_on) ></p>
5:
6: <
if @user.own_account_deletable? >
7: <p><
= link_to(l(:button_delete_my_account), {:action => 'destroy'}, :class => 'icon icon-del') ></p>
8: <
end >
9:
10: <h4><
= l(:label_feeds_access_key) %></h4>
app/views/my/_sidebar.html.erb:7:in `_app_views_my__sidebar_html_erb___731617039739943373_70003011594380'
app/views/twofa/activate_confirm.html.erb:22:in `block in app_views_twofa_activate_confirm_html_erb_76021097380460310_46976643820260'
app/views/twofa/activate_confirm.html.erb:21:in `_app_views_twofa_activate_confirm_html_erb__76021097380460310_46976643820260'
lib/redmine/sudo_mode.rb:63:in `sudo_mode'


I fixed it:

In the "my/_sidebar.html.erb" by adding :controller=>"my"

<% if @user.own_account_deletable? >
<p><
= link_to(l(:button_delete_my_account), {:action => 'destroy', :controller=>"my"}, :class => 'icon icon-del') ></p>
<
end %>

Also available in: Atom PDF