[Koha-bugs] [Bug 28786] Two-factor authentication for staff client - TOTP
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jan 17 08:51:33 CET 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786
--- Comment #60 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
(In reply to Jonathan Druart from comment #58)
> > [2] The randomizer (which we should not use) depends on Math::Random::MT.
> > This module says: This algorithm has a very uniform distribution and is good
> > for modelling purposes but do not use it for cryptography.
> > As long as we pass our own stronger secrets, no worries. See [1].
>
> Sorry, you lost me here. Which randomizer module?
See Auth::GoogleAuth:
use Math::Random::MT 'rand';
sub generate_secret32
[...]
return $self->secret32( join( '', @chars[ map { rand( scalar(@chars) ) } 1 ..
16 ] ) );
Please reread earlier comment.
> > [3] Martin refers earlier to Authen::OATH. I follow him there, but no
> > blocker.
>
> Why? Did you see my answer on comment 23?
> On the other hand if we do not longer use the QR code generator from
> Auth::GoogleAuth there is no bad reason to not switch. But what are your
> good reasons to switch then? :)
Martin mentions them already. I could only add: the fact that it potentially
exposes the secret in a GET parameter, could be reason enough?
> > [5] This one I did not yet fully tackle. But I have the impression that we
> > have an issue in C4/Auth now. A few times already I had to login twice.
> > This MIGHT be a blocker. Needs still investigation.
>
> Hum, I didn't experience it.
I will be testing it still a bit. Will report later.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list