#1 2020-10-08 09:03:18

squirrel
Member
Registered: 2015-08-13
Posts: 155

2FA Authentication

Is anybody using 2 factor authentication together with mormot? 

I am thinking of adding (optional) 2fa to a web app (javascript) that currently authenticates against a mormot server and uses its interfaces.  There are no Delphi/desktop programs connecting to it, just JS clients.

I already use a custom TSQLRestServerAuthenticationDefault class for authentication, so assume that the overridden Auth and/or GetUser functions will need to be changed to support that.  What I'm not so sure about, is when the TSQLAuthUser will be created.  Depending on the type of 2fa (sms, email etc) a significant amount of time can pass between the first authentication and when the 2fa value is provided.

Ideally the process would be: authenticate, send 2fa key, get 2fa key from user, activate the login that has already happened.  But I'm not sure that will work, because then, either the user will have to log in again, or the activation of the login session will have to be manually checked in every interface to prevent the pre-2fa login session from getting access to the interfaces.

If anybody already added 2fa to their projects, some guidance/pointers will be very helpful.

Offline

#2 2020-10-08 09:32:37

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: 2FA Authentication

If I am correct, 2FA authentication is during the authentication process, not within the main mORMot process.

What I would do is not use default mORMot authentication, but a JWT.
This JWT will be generated by an authentication service (something like OAuth), in two steps, sending an email or a sms in-between.

You could reuse the same code for password recovery, by the way.

Offline

#3 2020-10-08 09:47:25

squirrel
Member
Registered: 2015-08-13
Posts: 155

Re: 2FA Authentication

Thanks for the suggestion ab, I'll check on JWT again. 

I'll probably still need to have mormot sessions, since we use a complicated permissions system.  So some of the interface functions look up the current session user (and some properties captured when he logged in) to determine which actions may be allowed.  From what I understand from https://synopse.info/forum/viewtopic.php?id=4840 that TSQLAuthUser may not be available from the context.

Offline

#4 2020-10-08 17:09:12

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,571
Website

Re: 2FA Authentication

In simple cases we use a TOTP as 2-nd  factor. User provide a user name/password and TOTP code at once, so we do not need to wait significant amount of time between the first authentication and when the 2fa value is provided since we have just one step.

Offline

#5 2020-10-09 07:37:22

squirrel
Member
Registered: 2015-08-13
Posts: 155

Re: 2FA Authentication

Thanks mpv, that is a good idea and will fit very well within the current process, even better than sms or email 2fa

Offline

#6 2020-10-09 08:37:16

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,571
Website

Re: 2FA Authentication

My JS implementation for TOTP is here nhmac_sha1 there is a binding to hmac_sha1 from SynCrypto. Our users uses Google Authenticator or FreeOTP on phones (I personally FreeOTP)

Last edited by mpv (2020-10-09 08:39:44)

Offline

Board footer

Powered by FluxBB