Two-factor local login option


(Luke Larris) #3

Would like to see this as well, I’ve recently gotten obsessed with two-factoring all my online accounts. And Authy is amazing, by the way.


(Sam Saffron) #4

For the record we are 100% for this feature, its just a matter of time. Too strapped for it now.


(Ernest Lee) #5

I wonder if we can get 2 factor auth for version 1.0?


(Jeff Atwood) #6

No, definitely not. Sorry.


(Manthan Mallikarjun) #7

I would like this feature. Hopefully by 1.1.


(Sam Saffron) #8

Simplest way of pushing a feature forward in the schedule is contributing a PR


Requiring password before admin actions can be taken
(Coin Fire) #9

Giving this a bump because I would really like to see this feature as well.

If I had the skills I would submit something back to the project code wise to help move this along but I do not.

The first forums software to have this feature easily out of the box is the one I am likely going to be going with. I hope this is the one that has it first in all honesty as this seems to be the best designed software I have seen yet for forums.

My audience demands 2FA for all such things and sadly it appears I will be forced to use bbPress (really, really, awful) because it has support for Authy via a WordPress plugin at the moment.


(N3tNinj4) #10

If I may suggest something to keep in mind; Authy isn’t free e.g.: https://www.authy.com/pricing I did some research and found that Github built their own two-factor authentication system but it is NOT open source or usable by anyone but them (I was a little surprised at first but maybe they have good reason for that, idk).

My point is that it may be wise to build it from scratch(ish) and into the core instead of relying on costly third parties. Here is a good example of one called Authlogic that is built on Ruby and MIT licensed: GitHub - binarylogic/authlogic: A simple ruby authentication solution. (see also: File: README — Documentation for binarylogic/authlogic (master)).

Just a suggestion but please keep in mind that any third party isn’t going to be free and stuff like that really adds up for admins and discourages people from using Discourse for that very reason.

Peace to all.


(Manthan Mallikarjun) #11

Any future for this?


(Sam Saffron) #12

We want this, but do not have it slotted yet.


(Manthan Mallikarjun) #13

Oh, ok. :frowning: I would love to see it sometime in the near future.


(Lee_Ars) #14

Reviving this topic a bit—I recently got exposed to Duo Security’s super cool 2FA push authentication when we started rolling it out at Ars for staff, and I quickly decided I wanted to use it myself. I slapped it onto my self-hosted Roundcube install and am now using it on my ssh gateway box (via PAM integration—neat!!).

While TOTP-type 2FA would be great for normal users, the option to require 2FA for admins and mods should absolutely be a high priority. Duo is free for up to 10 users, and a Duo plugin for Discourse with the option of only requiring it for Admins/Mods would be awesome.

@sam and @codinghorror, I know you guys are busy, but this would be pretty damn cool. I’m willing to offer a bounty on it if you guys code for contributions :wink:


(Erick Guan) #15

I like 2FA too. I’d like to work on this feature. However, we are so close to announce 1.2 so I think it’s better to develop it for the next release.


(Jeff Atwood) #16

It makes me :smiley: when people use “we” to talk about Discourse releases.


(Markus) #17

YubiKey or at least Google Authenticator support would be really great!!!

https://www.yubico.com/applications/single-sign-on/

By the way: Has anyone some experience by SSO integration with services who does already support this? Something like clavid.ch?

Thanks!


(Lee_Ars) #18

Definitely still waving the flag for Duo. It’s just slick as hell.

(They have a ruby library for fast integration! Quality awesome coders like @sam and @eviltrout could probably bang this out in an afternoon!!)


(Sam Saffron) #19

I just wish I could invent more afternoons :slight_smile:


(Erick Guan) #20

https://github.com/discourse/discourse/pull/3282

The process is:

  1. A user goes to the profile page.
  2. The user opens the two factor authentication setting page.
  • It only shows up if the admin allows it.
  1. The user scans or input the secret into the devices.
  • most likely the Google Authenticator
  • I am not familiar with other apps or Yubikey…
  1. When the user wants to login:
  2. The user enters its credentials and login.
  3. The modal changes, the user needs to enter the two factor authentication code, then login.

For devs:


(Jasper Siepkes) #21

I originally posted this in the GitHub PR, sorry about that, should have posted it here. I have some thoughts and humble opinions :wink: on this and thought I’d share em:

Cool feature! We are currently using two factor authentication with Discourse and OpenAM (oauth2). One advantage of offloading the more complex authentication to an AM solution like OpenAM (or Gluu, or whatever AM solution you want to use) is that it allows for vastly more flexibility then Discourse probably ever will. So while I think its really cool what you’ve made I would just like to point out that it might be wise for the devs to think about how much security complexity they want to pull in to Discourse and where to draw the line and off-load it to other solutions.


(Erick Guan) #22

Sorry for late response :frowning:

When reading about this feature request, I think the team want this in the core. So here it is. And you can still use the third party service without a doubt! It’s optional.