[Koha-bugs] [Bug 28786] Two-factor authentication for staff client - TOTP
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Sep 13 14:05:56 CEST 2021
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786
--- Comment #37 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
Not a complete QA, but at least some remarks:
Nice development! Would like to see 2FA in Koha.
There was discussion about moving the secret to another table. I tend to follow
Tomas here. Two factor authentication now only includes TOTP, but we could
extend that. If we have several methods, they would (probably) have their own
secrets. So yes a separate table would be better.
In terms of security I wonder if we should let the user choose to enable 2FA.
If the library switches 2FA on, I would opt for enforcing it. How would you let
a user register at that point? Might be that you need some verification mail
mechanism here to allow access to the register page exposing the shared key
(QR).
As for code, Koha/Auth/TwoFactorAuth.pm should be a folder or base class. And
the TOTP code should move deeper then?
There is a Selenium test, but not a regular one?
The "Improve readability" patch triggers this remark ;) The code in C4::Auth is
very essential, but already a pain. The maintenance of it by adding the 2FA
will be even harder. No one volunteers to rewrite it, but wouldnt this be a
great opportunity? Just hoping.. The current changes with a nice "ugly trick"
are not the greatest base for confidence.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list