remoteStorage

Two-factor authentication


#1

Having recently rolled out Yubikeys at 5apps and using them for a range of things (from pw manager to SSH), I was wondering about adding similar security options to my remoteStorage account.

Now, it’s of course possible to add 2-factor auth for our normal 5apps login without thinking about the RS spec. The idea would be that after the connect, you have to have a second factor in addition to your bearer token in order to get an authenticated session for your IP for a certain amount of time for example.

If we specified an abstract version of “send string to server, expect positive or negative response”, and probably an addition of the 2FA methods supported by the storage provider (e.g. U2F, Yubikey, Authy etc.), we might be able to make this extensible for any possible 2FA method.

This is just a quick thought so far. Maybe you have opinions about the need and/or the feasability of something like this?


#2

Solved in a discussion with @fkooman on IRC:

<fkooman> raucao, i am not sure I follow your 2fa thing :) 
<raucao> so the idea would be that the storage can somehow require a second factor which would be valid for a certain amount of time
<raucao> basically giving you an implicit session for your ip
<fkooman> raucao, but is that in addition to the bearer token? 
<raucao> so you open an app after a while and the widget would ask you for a string
<raucao> yes, in addition
<fkooman> the bearer token is something that should be valid for a certain amount of time...
<raucao> yes, but much longer
<fkooman> you could just expire the token after 1h and require again authentication/authorization at the 5apps service...
<fkooman> and this is only for in-browser apps right? 
<fkooman> and binding it to an IP is maybe not such a good idea if you move around a lot? 
<raucao> good point
<raucao> but then we cannot have long-living tokens
<raucao> for daemons and such
<raucao> maybe we should make the expiry configurable when authing
<raucao> with a dropdown or sth
<raucao> valid for 1 hour, 1 day, indefinitely
<fkooman> yeah that is a plan :) 
<raucao> alright, and then add 2FA to the normal auth
<raucao> that makes sense

Thanks for showing me the light! :smile: