Two-factor local login option


(Lee_Ars) #1

So, authentication on Discourse seems like mostly a solved problem since you can offload it to an external provider, but I’d love for Discourse to have a two-factor option for local authentication. It seems relatively uncomplicated to bolt-on support for TOTP via Google Authenticator—for example, here’s a Google Authenticator add-on implementation in PHP for Roundcube. Right, right, apples and oranges, php and ruby, webmail and forum, but the libraries are all there and it’d definitely make me happy to see a two-factor option.


How to allow login of user through mobile number?
Two Factor Authentication through Google Authenticator
Add a one time password code for admins
(Lee_Ars) #2

I’ll bump this just once, and then let it go. Would love for quick TOTP integration, but I understand that this might not be the time.


(Luke Larris) #3

Would like to see this as well, I’ve recently gotten obsessed with two-factoring all my online accounts. And Authy is amazing, by the way.


(Sam Saffron) #4

For the record we are 100% for this feature, its just a matter of time. Too strapped for it now.


(Ernest Lee) #5

I wonder if we can get 2 factor auth for version 1.0?


(Jeff Atwood) #6

No, definitely not. Sorry.


(Manthan Mallikarjun) #7

I would like this feature. Hopefully by 1.1.


(Sam Saffron) #8

Simplest way of pushing a feature forward in the schedule is contributing a PR


Requiring password before admin actions can be taken
(Coin Fire) #9

Giving this a bump because I would really like to see this feature as well.

If I had the skills I would submit something back to the project code wise to help move this along but I do not.

The first forums software to have this feature easily out of the box is the one I am likely going to be going with. I hope this is the one that has it first in all honesty as this seems to be the best designed software I have seen yet for forums.

My audience demands 2FA for all such things and sadly it appears I will be forced to use bbPress (really, really, awful) because it has support for Authy via a WordPress plugin at the moment.


(N3tNinj4) #10

If I may suggest something to keep in mind; Authy isn’t free e.g.: https://www.authy.com/pricing I did some research and found that Github built their own two-factor authentication system but it is NOT open source or usable by anyone but them (I was a little surprised at first but maybe they have good reason for that, idk).

My point is that it may be wise to build it from scratch(ish) and into the core instead of relying on costly third parties. Here is a good example of one called Authlogic that is built on Ruby and MIT licensed: GitHub - binarylogic/authlogic: A simple ruby authentication solution. (see also: File: README — Documentation for binarylogic/authlogic (master)).

Just a suggestion but please keep in mind that any third party isn’t going to be free and stuff like that really adds up for admins and discourages people from using Discourse for that very reason.

Peace to all.


(Manthan Mallikarjun) #11

Any future for this?


(Sam Saffron) #12

We want this, but do not have it slotted yet.


(Manthan Mallikarjun) #13

Oh, ok. :frowning: I would love to see it sometime in the near future.


(Lee_Ars) #14

Reviving this topic a bit—I recently got exposed to Duo Security’s super cool 2FA push authentication when we started rolling it out at Ars for staff, and I quickly decided I wanted to use it myself. I slapped it onto my self-hosted Roundcube install and am now using it on my ssh gateway box (via PAM integration—neat!!).

While TOTP-type 2FA would be great for normal users, the option to require 2FA for admins and mods should absolutely be a high priority. Duo is free for up to 10 users, and a Duo plugin for Discourse with the option of only requiring it for Admins/Mods would be awesome.

@sam and @codinghorror, I know you guys are busy, but this would be pretty damn cool. I’m willing to offer a bounty on it if you guys code for contributions :wink:


(Erick Guan) #15

I like 2FA too. I’d like to work on this feature. However, we are so close to announce 1.2 so I think it’s better to develop it for the next release.


(Jeff Atwood) #16

It makes me :smiley: when people use “we” to talk about Discourse releases.


(Markus) #17

YubiKey or at least Google Authenticator support would be really great!!!

https://www.yubico.com/applications/single-sign-on/

By the way: Has anyone some experience by SSO integration with services who does already support this? Something like clavid.ch?

Thanks!


(Lee_Ars) #18

Definitely still waving the flag for Duo. It’s just slick as hell.

(They have a ruby library for fast integration! Quality awesome coders like @sam and @eviltrout could probably bang this out in an afternoon!!)


(Sam Saffron) #19

I just wish I could invent more afternoons :slight_smile:


(Erick Guan) #20

https://github.com/discourse/discourse/pull/3282

The process is:

  1. A user goes to the profile page.
  2. The user opens the two factor authentication setting page.
  • It only shows up if the admin allows it.
  1. The user scans or input the secret into the devices.
  • most likely the Google Authenticator
  • I am not familiar with other apps or Yubikey…
  1. When the user wants to login:
  2. The user enters its credentials and login.
  3. The modal changes, the user needs to enter the two factor authentication code, then login.

For devs: