Two-factor authentication support

[doobry-systemli]

Adds support for TOTP-based two-factor authentication.

Overview

• Users can enable and disable two-factor authentication in their account settings. Both requires the user to enter their password. When two-factor authentication is enabled, the user has to verify that it's working by entering a TOTP token.
• Admins can remove the configured TOTP secret in order to restore accounts.
• The TOTP secret doesn't get cleared during the recovery process for security reasons. Otherwise, a single factor (recovery secret) would be enough to reset two factors (password + TOTP secret).

Fixes: #115

Screenshots

Enabling two-factor authentication in account settings

1. Settings overview
   

2. 2FA settings, 2FA not enabled
   

3. 2FA settings, enabling 2FA
   

4. 2FA settings, enabling 2FA, invalid token
   

5. 2FA settings, 2FA enabled
   

Two-factor form during login

[codecov]

Codecov Report

Merging #388 (5bb1177) into main (b761d1e) will decrease coverage by 1.73%.
The diff coverage is 15.87%.

❗ Current head 5bb1177 differs from pull request most recent head ded11c4. Consider uploading reports for the commit ded11c4 to get more accurate results

@@             Coverage Diff              @@
##               main     #388      +/-   ##
============================================
- Coverage     36.92%   35.19%   -1.74%     
- Complexity     1059     1120      +61     
============================================
  Files           175      183       +8     
  Lines          3967     4325     +358     
============================================
+ Hits           1465     1522      +57     
- Misses         2502     2803     +301     

Impacted Files	Coverage Δ
src/Admin/UserAdmin.php	0.00% <0.00%> (ø)
src/Controller/StartController.php	0.00% <0.00%> (ø)
src/Controller/TwofactorController.php	0.00% <0.00%> (ø)
src/Entity/User.php	90.90% <ø> (ø)
src/Form/TwofactorBackupAckType.php	0.00% <0.00%> (ø)
src/Form/TwofactorType.php	0.00% <0.00%> (ø)
src/Handler/UserAuthenticationHandler.php	100.00% <ø> (ø)
src/Repository/UserRepository.php	0.00% <0.00%> (ø)
src/Validator/Constraints/TotpSecret.php	0.00% <0.00%> (ø)
src/Traits/TwofactorBackupCodeTrait.php	40.90% <40.90%> (ø)
... and 5 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[doobry-systemli]

Open questions where I would appreciate input:

Do we want to reset 2FA during recovery process?

• Pro: User can restore their account when 2FA device got lost
• Con: From security perspective, recovery token is one-factor authentication. Users are asked to store it in a secure place, but still.

If we have support for 2FA backup codes, we could argue that users have to use them if they loose their 2FA device.

Do we want admins to be able to reset 2FA for accounts?

• Pro: Accounts where 2FA device got lost can be restored by admins.
• Con: Admins can downgrade the security of accounts.

Again, with 2FA backup codes we could say that users have an option to restore 2FA themselves.

Do we want to prod users to enable 2FA during login?

The only problem I see is that users might be overwhelmed by all the security-relevant information they need to store somewhere:

1. They have to choose a secret password and remember or store it.
2. They have to store their recovery code somewhere safe.
3. They have to configure 2FA in thir 2FA app.
4. They have to store 2FA backup codes somewhere safe.

That's not exactly a nice onboarding experience, is it? 🤔

[t2d]

Thanks for your awesome work. I haven't looked at the code yet, but I would like to provide some input for your questions:

Do we want to reset 2FA during recovery process?

Yes. Recovery process is like a fresh start for your account. There'll be no more mails inside. It just makes sense to also clear the 2FA token.

Do we want admins to be able to reset 2FA for accounts?

That's how it is commonly done and i think, it's a sensible thing to do. Especially for domain admins it'll be helpful. They can assist, but not give them selves access.

Do we want to prod users to enable 2FA during login?

From the example I guess you're talking about signup, not login. Then my anwser: Not yet. I agree, that the onboarding experience would be degraded. Also, 2FA is not that common to regular end-users.

In general, I'm a bit worried about confusing users with additional backup codes. But I also don't think it's possible to get rid of 2fa backup codes as you don't want to reset your whole mail account when you lose your phone. What do you think about the following idea?

When a user inserts their recovery code, give them them the choice to just delete their 2FA token or reset the whole password (and clear inbox).

[doobry-systemli]

Support for backup codes is now implemented (and covered by behat tests).

Six backup codes are generated automatically during twofactor configuration. The user is asked to acknowledge that they stored the backup codes at a secure place. Only afterwards twofactor authentication is enabled.

[doobry-systemli]

Thanks for your awesome work. I haven't looked at the code yet, but I would like to provide some input for your questions:

Do we want to reset 2FA during recovery process?

Yes. Recovery process is like a fresh start for your account. There'll be no more mails inside. It just makes sense to also clear the 2FA token.

That's wrong. Recovery process restores your account along with all the content.

What do you think about the following idea?

When a user inserts their recovery code, give them them the choice to just delete their 2FA token or reset the whole password (and clear inbox).

We decided against resetting 2FA configuration with the recovery process for now. Otherwise, we would compromise the security of two-factor authentication. Being able to reset both your password and your two-factor secret using the recovery token (regardless whether it's two options in the process or one) means that one factor (recovery token) is enough to reset both factors of your account. That's not a good idea IMHO.