Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

two-factor authentication #10630

Closed
ghost opened this issue Aug 25, 2014 · 4 comments
Closed

two-factor authentication #10630

ghost opened this issue Aug 25, 2014 · 4 comments
Labels
enhancement

Comments

@ghost
Copy link

ghost commented Aug 25, 2014

I don't know if this is hard, or even possible, but it would be a nice feature to implement two-factor authentication.
I've been using google-authenticator app (https://code.google.com/p/google-authenticator/) for allmost anything now, and I find it easy and quick.
From what i've read, PAM authentication is more like a module run on server level, so no idea if this could be pulled of from PHP.
@razyr
Copy link

razyr commented Aug 28, 2014

If Two-factor authentication is going to be added as a future feature, consider using a hard token such as Yubikey as an option.

@DeepDiver1975
Copy link
Member

@LukasReschke THX

@Grimeton
Copy link

Grimeton commented Sep 4, 2014

I'm also looking into this to implement the DuoSecurity stuff.

What I'm actually not really aware of is if there is some kind of interface that one could use to implement it. It would have to take place AFTER the main logon and BEFORE the user is marked as authenticated.

AFAIK this isn't possible because the authentication is handled by Owncloud on its own or by some kind of plugin, like the user_ldap app. And when it's handled the user is always marked as logged in. So to not reinvent the wheel or make it necessary to implement a two factor auth inside each and every available auth plugin again and again it would be necessary to create some kind of interface inside Owncloud to make it possible.

I guess the easiest way would be to have some kind of array that is worked by Owncloud and if one of the auth options in the array returns false, logon is denied. Similar to how PAM works.

Does something like this exist already?

Another problem that comes up would be the OwnCloud sync client. Each and every time the client syncs, one would have to authorize that in 2 factor. So we need a workaround for this. One could be to filter based on the http headers and figure out if it's the sync client and then bypass 2 factor. But that would make it pretty easy for crackers todo the same.

So something like a hash/token/whatever would be needed that the client uses to authenticate and sync. Maybe it would be necessary to register the client/machine to OwnCloud and create some kind of management UI that allows to manage the connected clients by user and by admin.

KR,

G.

@DeepDiver1975 DeepDiver1975 mentioned this issue Sep 24, 2014
Closed
@LukasReschke
Copy link
Member

Closed in favour of #12102

@ownclouders ownclouders mentioned this issue Jul 16, 2018
Closed
@ownclouders ownclouders mentioned this issue Sep 10, 2018
Open
@lock lock bot locked as resolved and limited conversation to collaborators Aug 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@MorrisJobke @karlitschek @LukasReschke @DeepDiver1975 @Grimeton @razyr