[BlueOnyx:26748] Re: GUI development: BlueOnyx 2FA for GUI logins

Taco Scargo taco at blueonyx.nl
Thu Feb 8 03:34:59 -05 2024 

Hi Michael,

Seems reasonable and logic to me.
Just one question: what if a user “looses” his/her 2FA device/app?
Have you thought of introducing a “reset tokens”?

Similar to how Github does it?

Thanks,

Taco

> On 8 Feb 2024, at 06:36, Michael Stauber via Blueonyx <blueonyx at mail.blueonyx.it> wrote:
> 
> Hi all,
> 
> The work on the new Elmer Theme for BlueOnyx 5211R (and later on 5210R) is progressing nicely.
> 
> I've just completed porting all GUI elements and pages to the new Elmer theme after three months of hard work.
> 
> As the intention has always been to keep the old "Adminica" GUI as an option that could be reverted back to (both on a server- as well as individual user level) I sort of broke some parts of the Adminica GUI by adding new features.
> 
> I'm now in the process of fixing those "Adminica"-theme related issues. Means: An end is in sight. \o/
> 
> But before fixing those old theme issues I am currently toying with 2FA authentication for GUI logins.
> 
> I have a prototype of it currently working and it uses the same 2FA tokens and mechanisms that we already use to protect SSH.
> 
> 
> My intended implementation for this is as follows:
> ===================================================
> 
> Under "Server Management" / "Maintenance" / "Server Desktop" any server-administrator can enable/disable the new switch "GUI access: Two-Factor-Auth (2FA)".
> 
> It will then show a selector where you can choose which accounts MUST use 2FA in order to be able to login to the GUI:
> 
> - All accounts (with enabled 2FA)
> - Only Server-Administrator accounts (with enabled 2FA)
> - Server-Administrator and siteAdmin accounts (with enabled 2FA)
> 
> If the switch for "GUI access: Two-Factor-Auth (2FA)" is NOT ticked, anyone can login to the GUI without 2FA by just providing a valid username and password. That will be the default until you manually turn 2FA GUI access on.
> 
> Due to architectural reasons and to avoid undue complexity I don't want to allow 2FA for only GUI access on of off individually for accounts.
> 
> Means: You won't be able to say: "I want 2FA for SSH-access of User XYZ, but not for GUI access of User XYZ!!"
> 
> So if an account has 2FA enabled AND the GUI is configured to require 2FA, then the user must provide username, password and 2FA token (or one of the "one-time-codes").
> 
> 
> As for how the login will work in the future:
> ===============================================
> 
> If 2FA GUI access is required for everyone, the login form will show three input fields:
> 
> - Username
> - Password
> - 2FA Code
> 
> If 2FA GUI access is configured to be only required for certain Users (like serverAdmins and/or serverAdmins and siteAdmins)?
> 
> In that case the login form will first ask for ...
> 
> - Username
> - Password
> 
> ... and if the user is among the group of users for which 2FA is required, a second login page form will ask for the 2FA code.
> 
> 
> My question:
> =============
> 
> Before I do this I want to ask for general consent and consensus on this topic. Do you consider the outlined implementation "good enough" for your purposes? Or are there any other considerations or suggestions to implement this in a different way?
> 
> All input is welcome.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list