This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
2FA for logins #345
Comments
|
To do a sensible job of this we should probably have a seperate 3PID verification service, as proposed in matrix-org/synapse#1710. |
|
Is there any update on the work for this or anything? |
|
Another crucial option would be via X.509, which would allow a large array of existing authentication methods to be used transparently. |
|
Relevant: matrix-org/olm#5 |
|
RFC6238. Then people can use Google Authenticator, Authy, LastPass Authenticator, or pretty much any other standard 2FA app. |
|
I'd really like to see Fido U2F like it's implemented by Yubico etc. |
|
I strongly second U2F. It is well tested, standard, built to withstand phishing attacks, and never exposes any secrets to system memory. |
|
Correct me if I'm wrong but wouldn't this require it to be implemented in a Matrix implementation rather than Riot? Matrix would have to support U2F, with Riot just passing on the authentication request. |
|
@RyanSquared It would need to be implemented in a both the UI and the authentication server IIRC. |
|
So if it needs to be implemented on a backend server as well, is there a relevant issue for U2F or other 2FA methods on a backend server (or for the protocol)? |
|
+1 for U2F |
|
this is starting to get more urgent with the advent of cryptocommunities and other security-focused communities embracing Matrix. need to check out U2F and how it compares to TOTP and friends. |
|
FYI, Firefox does not support U2F out of the box currently, but it was added to nightly last week, so should hopefully land at some point in the not too distant future. |
|
I'd say it's not "last week", based on this article: https://www.yubico.com/2017/09/firefox-nightly-enables-support-fido-u2f-security-keys/ |
|
Before Firefox 57 you can use an addon for Firefox to use U2F. I currently use U2F without any addons in Firefox 57 Beta. According to their release schedules, they release Firefox 57 on 2017-10-14 (https://wiki.mozilla.org/RapidRelease/Calendar). I had to enable it manually though. |
|
U2F would be great, although it is so far supported by Firefox, Chrome and Opera only. A note on Firefox 57: Users must turn on the U2F switch (security.webauth.u2f) manually in the "about:config" settings. |
|
We'll pay for this to be implemented by the end of January, just send us a service contract. |
|
Any updates on this? |
|
Still no 2FA? 🙄 |
|
In my mind, the authentication in Synapse should be easily "pluggable" so I could for example easily replace the standard username+password authentication with a custom plugin that takes a username+password+OTP as input. I'm unsure of how such a thing should be supported on the client side, maybe the server should be able to say "Need a username+password+OTP" to the client and Riot should add such fields to the login form? |
|
bump just to see if vector im took up @jaekwon on offering to sponsor if nothing else. 2 factor isn't optional at this point imo but I really like the potential of this project so hate to bail on the thing. will contribute myself eventually but reinventing-the-wheel with my personal time is too much for a project I'm just now considering adopting. my software engineering company would take the contract work to implement it for sure though 😄 |
|
@stevenaldinger I for one would gladly vote with my wallet towards such an effort if the matrix team lacks the resources to pursue this right now. Can we get a bounty going for this somehow? All the end to end encryption in the world is pointless if you can just phish someones login. This is still a major adoption blocker for any serious use cases. |
|
let me scope it out a little bit and see what it really takes to make it a reality and I'll update. client is js which I'm really comfortable with and have worked with this sort of thing before, synapse/matrix server is python and I might make a mess lol (but with test coverage! 🤣), haven't looked into if they're both needing updates at this point or what the deal is. I'll try to lead the hunt this week though, I'm interested. |
|
Not having 2FA with fido(2) on a security platform is plainly ridiculous. At least throw in TOTP or even Google oauth. |
|
An important thing to remember when implementing 2FA: allow for multiple second factors. IIRC AWS didn't. Allow any number (?) of U2F tokens and TOTP app tokens, preferably individually named. And recovery codes. |
Agreed. And the method of 2FA shouldn't be forced on HS operators, i.e I should be able to choose TOTP or U2F depending on my use case by using a certain plugin (if possible). |
They most likely use some kind of SSO (SAML? CAS? OpenID Connect?) that handles 2FA on another layer. Like keycloak. But I would not recommend SAML as you can now use OpenIDC. |
|
"2FA by matrix, using another device." - This is definitely needed, especially by a "Verified" alternate device (text, emoji, etc). |
This comment has been minimized.
This comment has been minimized.
|
Please keep in mind, that FIDO2/WebAuthn also supports password-less single factor authentication using only your hardware key (and maybe an additional PIN to unlock the device). Would be great, if you could support this too so passwords are no longer needed. The concept of passwords as an identification secret is fundamentally broken, anyway. This would of course require mechanisms to register multiple authentication devices or generate backup keys so one doesn't lock itself out when loosing a device. |
Once a PIN is required, it is two factor authentication. |
|
jfyi It's the 'passwordless' movement you are defining. In essence, it's just a more secure 1FA. The authentication merges to one factor during communication with the service. Metaphorically speaking, if you have a key enclosed in a box, you open the box with a code to take out the key. You still use one key to open the door, as opposed to a keyhole and a pin on the door. Nevertheless, PIN + hardware, considering most of the users and use cases, is still, likely to be more secure than just a passphrase/PIN. |
|
In case anyone is wondering why this hasn’t happened yet: we’ve found that most people who want 2FA are also using SSO, and so can use the SSO provider (keycloak etc) for this. However, we still want to get it natively into Matrix, but it’s in the middle of the feature backlog. |
SimonBrandner
added
A-Login
O-Frequent
|
I'd like to point out that I have an outstanding feature request that I reported for TLS / X.509 client certificate authentication. If implemented, it would require no change at all to Synapse, Dendrite, or the Matrix protocol, and would still provide an additional factor of very robust, well-understood authentication. |
|
I believe a TLS certificate would not be what a regular user expects from a platform offering MFA. By looking at the comments in this issue it is clear that TOTP, U2F and FIDO2 / WebAuthn are prefered methods. |
SMS is not 2FA, everyone with an SS7 account can listen to the messages. Email is unencrypted. What about TOTP? Let's just stick to well-established standards. https://tools.ietf.org/html/rfc6238 Standards ftw! |
Obligatory response: https://xkcd.com/927/ |
|
TOTP would be nice if added |
|
Since 2016.. and counting |
TOTP? FreeOTP, Aegis, Google Authenticator, hardware OTP? |
I believe the intent was to use the second device, already signed into Matrix, as a 2FA method. |
|
I think Element has given up on this and moved the issue to https://areweoidcyet.com/ 2FA/MFA currently depends on login system of your homeserver |
Steal a device or get access for half a minute, add a device... This does not seem to be a good idea. I'd go with WebAuthn instead. Or alternatively a way to disable this and require entering the password to enable this again. |
|
Also, WebAuthn. The standard many sites now adopt. Much better than TOTP, but for the users that don't have a WebAuthn device, TOTP is still better than no 2FA at all. |
|
OIDC seems to be the way forward (for synapse, dendrite just dropped PR for OIDC). So make sure you pick an auth provider that supports 2FA. https://areweoidcyet.com/ . WebAuthn is supported by a very wide range of devices since google/apple/microsoft passkeys are built on top of webauthn. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
and others
When I log in (using a username/password or 3PID/password combo), we should give users the option to also require a two factor authentication (or multi-factor authentication) via other channels. Options are:
The text was updated successfully, but these errors were encountered: